PluXml prior to 5.1.6 allows remote malicious users to obtain the installation path via the PHPSESSID.
pluxml pluxml