CVE-2025-70129

EUVD-2025-208520

10.03.2026, 20:16

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. The details of captcha challenge are exposed within document body of articles with comments & anti spam-captcha functionalities enabled, including "capcha-letter", "capcha-word" and "capcha-token" which can be used to construct a valid post request to publish a comment. As such, attackers can flood articles with automated spam comments, especially if there are no other web defenses available.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA-ADP	ADP	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Ubuntu Releases

Ubuntu Product

Codename

pluxml

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
questing	dne
xenial	needs-triage

Common Weakness Enumeration

CWE-804 - Guessable CAPTCHA
The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

References

https://github.com/forest4x/vuln-research-public/blob/main/CVE-2025-70129.pdf

https://youtu.be/dD2olE4yMqY