### Critical Vulnerability Information - **Title**: PluXml 5.8.22 Deserialization Vulnerability - **Description**: - PluXml CMS version 5.8.22 and earlier contains a critical backend deserialization vulnerability that allows authenticated attackers to achieve remote code execution. - The vulnerability arises from improper handling of user-controlled file parameters in the media management module (core/admin/medias.php), which triggers PHP stream wrapper processing during file operations. - By uploading a malicious Phar archive disguised as an image file and then triggering deserialization through the file rename functionality using a phar:// protocol path, attackers can exploit a gadget chain in the bundled Guzzle HTTP library (FileCookieJar::__destruct() -> save()) to write arbitrary PHP code to the server, resulting in remote code execution. - **Source**: https://note-hxlab.wetolink.com/share/9SJUnaDcJuqz - **User**: V3geD4g (UID 60725) - **Submission**: 12/12/2025 08:12 AM - **Moderation**: 01/02/2026 10:57 AM - **Status**: Accepted - **VulDB Entry**: 239383 [PluXml up to 5.8.22 Media Management core/admin/medias.php __destruct File deserialization] - **Points**: 20