CVE-2026-24352: PluXml CMS

Patch now - CVE-2026-24352 is a critical session-fixation flaw in PluXml CMS versions 5.8.21 and 5.9.0-rc7 that lets an attacker pre-set any user’s session ID, then hijack that session after login to gain full administrator access without a password. No official patch exists, so implement immediate WAF rules to block pre-login session ID tampering.

Overview

A critical security vulnerability has been identified in PluXml CMS that allows an attacker to hijack user sessions, including administrator accounts. This flaw stems from the improper handling of session identifiers.

Vulnerability Explanation

In simple terms, a session ID is like a temporary, secret key assigned to you when you log into a website. PluXml CMS has a flaw where an attacker can pre-set or “fix” what that key will be for another user before that user logs in. When the victim later logs in successfully, the system continues to use the attacker-chosen key. Because the attacker knows the key, they can impersonate the victim and gain full access to their account without needing a password.

Impact

The impact of this vulnerability is severe. A successful attack could lead to:

• Full site compromise: An attacker could hijack an administrator session to modify website content, upload malicious files, or deface the site.
• Data theft: Attackers could access sensitive user data, private content, or configuration files.
• Persistence: Attackers could create new administrative accounts to maintain access even after the initial vulnerability is addressed.

With a CVSS score of 9.8 (CRITICAL), this vulnerability is highly exploitable and can lead to complete system compromise.

Affected Versions

Versions 5.8.21 and 5.9.0-rc7 have been confirmed as vulnerable. The vendor did not provide a full vulnerable version range, so other versions of PluXml CMS may also be affected.

Remediation and Mitigation

As the vendor has not yet provided an official patch, users must take immediate action.

1. Apply the Official Fix: Monitor the official PluXml website and GitHub repository for a security update. Apply any patch immediately upon release.
2. Immediate Mitigation (If No Patch is Available): If you must run a vulnerable version, consider implementing a Web Application Firewall (WAF) rule to block requests that attempt to set the session ID parameter before login. This is a temporary, non-guaranteed workaround.
3. General Security Hygiene:
   • Restrict Access: Limit administrative access to the CMS backend to trusted IP addresses if possible.
   • Use Strong Passwords: Ensure all user accounts, especially administrators, use strong, unique passwords.
   • Monitor Logs: Closely monitor application and server logs for any suspicious activity, such as logins from unexpected locations.

Important Note: The most secure course of action is to treat all unpatched versions as vulnerable. If a patch is not forthcoming, consider the risk of continued use carefully.