43 matches found
CVE-2020-29607
CVE-2020-29607 affects Pluck CMS prior to 4.7.13, where a file upload restriction bypass in the admin “manage files” functionality allows an authenticated admin to upload a payload and trigger remote code execution. Public references show an authenticated file-upload RCE exploit for Pluck 4.7.13 ...
CVE-2022-26965
CVE-2022-26965 – Pluck CMS 4.7.16 RCE via theme upload : The connected sources confirm a remote code execution vulnerability in Pluck CMS 4.7.16, exploitable by an authenticated admin using the theme upload functionality at /admin.php?action=themeinstall. The NVD entry lists CVSS v3.1 base score ...
CVE-2022-27432
CVE-2022-27432 (Pluck CMS 4.7.15) —A Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to change passwords for arbitrary users, enabling account takeover. Affected: Pluck CMS, version 4.7.15. Root cause: CSRF vulnerability as described in the vulnerability entry. Impact: account ...
CVE-2023-50564
CVE-2023-50564 is an authenticated arbitrary file upload vulnerability in Pluck-CMS v4.7.18. The weakness exists in the ZIP upload flow (notably the component paths like /inc/modules_install.php and endpoints such as /admin.php?action=installmodule) that allows an attacker with valid credentials ...
CVE-2022-26589
CVE-2022-26589 is a CSRF vulnerability in Pluck CMS v4.7.15 that allows an attacker to delete arbitrary pages. The issue is described across multiple feeds as a Cross-Site Request Forgery affecting Pluck CMS, with the core impact being unauthorized page deletion. The public records do not provide...
CVE-2023-25828
Pluck CMS (authenticated) is vulnerable to remote code execution via the albums module. A lack of file extension validation allows uploading a crafted JPEG payload containing an embedded PHP web-shell, which an authenticated admin can access to achieve RCE on the web server. Affected: Pluck CMS a...
CVE-2020-18198
Pluck CMS 4.7.9 contains a Cross-Site Request Forgery vulnerability in the admin images component (/admin.php?action=images) that allows remote attackers to execute arbitrary code and delete specific images. Root cause: CSRF in the images management workflow. Exploitation status and mitigation st...
CVE-2020-18195
Pluck CMS v4.7.9 is affected by a Cross-Site Request Forgery (CSRF) vulnerability that allows remote attackers to execute arbitrary code and delete a specific article via the component /admin.php?action=page. Root cause is CSRF in the admin flow. No exploit vectors, practical exploit details, or ...
CVE-2024-43042
CVE-2024-43042 affects Pluck CMS 4.7.18: the login subsystem does not limit failed attempts, enabling brute-force-style access attempts over the network. Public sources in the connected documents corroborate the issue's existence and classify it as high severity (CVSSv3.1: 9.8, Confidentiality, I...
CVE-2023-27082
Pluck CMS is affected in versions 4.7.15 through 4.7.16-dev4 by a Cross Site Scripting (XSS) vulnerability in the /admin.php endpoint. The issue allows remote attackers to cause behavior by uploading a crafted HTML file, potentially enabling arbitrary code execution as described in the CVE-2023-2...
CVE-2009-1765
Pluck CMS 4.6.2 contains multiple directory traversal/LFI vulnerabilities. When register_globals is enabled, an attacker can cause PHP to include and execute local files via the langpref parameter to data/modules/contactform/module_info.php, data/modules/blog/module_info.php, or data/modules/albu...
CVE-2020-20969
CVE-2020-20969 affects PluckCMS v4.7.10. An arbitrary file upload vulnerability in trashcan_restoreitem.php enables remote code execution (as per multiple sources), with PoCs noting an authenticated-admin requirement in some demonstrations. The vulnerability is consistently described as a file up...
CVE-2008-6842
CVE-2008-6842 affects Pluck 4.6.1, specifically the file data/modules/blog/module_pages_site.php. The vulnerability is a directory traversal in the post parameter (..), allowing remote attackers to include and execute arbitrary local files. The available sources confirm the affected software and ...
CVE-2018-11736
Pluck before 4.7.7-dev2 is affected by a remote code execution in /data/inc/images.php. An attacker can upload an image/jpeg/.htaccess file to execute arbitrary PHP code, leading to full compromise of affected hosts. The issue is mitigated by upgrading to Pluck 4.7.7-dev2 or applying the fixed re...
CVE-2020-21564
CVE-2020-21564 concerns Pluck CMS versions 4.7.10-dev2 and 4.7.11, where a file upload vulnerability can lead to remote command execution via the endpoint admin.php?action=files. The sources provided describe the vulnerability but do not specify additional technical details, exploit status, affec...
CVE-2020-20919
Pluck CMS 4.7.10-dev2 is affected by a file upload vulnerability in theme.php that enables remote code execution and access to sensitive information. The issue is described for Pluck CMS and is classified with high impact (C/H, I/H, A/H) under CVSSv3.1 with AV:N, AC:L, PR:H, UI:N, S:U, affecting ...
CVE-2023-27083
Pluck CMS 4.7.15–4.7.16-dev5 has a remote code execution vulnerability in /admin.php via the manage file functionality. The root cause is likely improper handling of file management in admin.php, enabling arbitrary code execution by an attacker who can access this feature. Documents consistently ...
CVE-2019-11344
CVE-2019-11344 affects Pluck 4.7.8 where data/inc/files.php allows remote code execution by uploading a .htaccess that sets SetHandler x-httpd-php for a .txt file, bypassing blocked PHP-related filename extensions. This is documented across multiple feeds (NVD, Red Hat, OSV, CVE lists). Root caus...
CVE-2021-31745
CVE-2021-31745 affects Pluck-CMS (Pluck 4.7.15). A session-fixation vulnerability in login.php allows an attacker to sustain unauthorized access because prior sessions are not invalidated after a password change. The available documents describe the issue and do not specify a patch version or con...
CVE-2023-5013
Pluck CMS 4.7.18 is affected by a cross-site scripting vulnerability in the Installation Handler’s install.php. The issue arises from manipulating the contents argument to inject , allowing remote execution of XSS with low attack complexity according to the sources. Exploitation has been publiciz...
CVE-2018-7197
CVE-2018-7197 affects Pluck up to version 4.7.4. It is a stored XSS vulnerability in the admin/blog Reaction Comments path that allows remote, unauthenticated users to inject arbitrary web script or HTML via a crafted URL. The connected documents confirm the issue and its exploitation vector but ...
CVE-2019-9051
The CVE-2019-9051 entry concerns Pluck CMS 4.7.9-dev1 and describes a CSRF vulnerability that enables deleting articles via the URI /admin.php?action=deletepage&var1=. Public sources in connected documents (CNVD-2019-05782, OSV/NVD entries) confirm the vulnerable component as Pluck 4.7.9-dev1 and...
CVE-2020-20951
Pluck 4.7.10-dev2 is affected by a remote command execution vulnerability in the admin background during file uploads. The issue is documented across multiple sources (e.g., PT-2021-10562) without specific CVE root-cause details in the connected set, and no official patch version is provided in t...
CVE-2014-8706
CVE-2014-8706 affects Pluck CMS 4.7.2 and is an information disclosure issue. The vulnerability occurs when a remote attacker can cause PHPSESSID to be treated as an array or altered with non-alphanumeric characters, or manipulate the image parameter to an array or string, which results in an err...
CVE-2018-16634
The vulnerability CVE-2018-16634 affects the Pluck CMS v4.7.7. A Cross-Site Request Forgery (CSRF) exists that allows an attacker to perform unauthorized actions via admin.php?action=settings, such as changing site name and email parameters. This is documented in CNVD-2018-25041 (Pluck CSRF vulne...
CVE-2019-9052
Pluck CMS 4.7.9-dev1 is affected by a CSRF vulnerability that enables an attacker to delete images via the URI /admin.php?action=deleteimage&var1=. This is documented across multiple sources (e.g., CVE-2019-9052, CNVD-2019-05783) indicating an unauthenticated or cross-site request scenario where ...
CVE-2020-20918
The CVE-2020-20918 entry affects Pluck CMS v4.7.10-dev2, where a vulnerability in the hidden parameter of admin.php during page editing allows a remote attacker to execute arbitrary PHP code. The risk is described as remote, no user interaction, with high impact to confidentiality, integrity, and...
CVE-2018-11330
Pluck CMS (before 4.7.6) is affected by an authenticated stored XSS vulnerability due to improper restriction of the character set for filenames. This is consistently reported across CVE-2018-11330 entries in NVD, Red Hat, CNVD, OSV, and related records. No exploit details or remediation version ...
CVE-2018-11331
Pluck CMS before 4.7.6 is affected: the upload restrictions do not cover certain filetypes (e.g., .phtml, .htaccess), enabling remote PHP code execution. Affected: Pluck before 4.7.6. Root cause: incomplete disallowed-filetypes list. Impact: remote code execution with potential high impact as per...
CVE-2019-9050
Pluck 4.7.9-dev1 is vulnerable to arbitrary code execution via the ZIP upload path using action=installmodule, where the uploaded ZIP is extracted and its contents executed. The issue is documented across CVE-2019-9050 entries (NVD/CVE, CNVD, OSV, CVE List) and related records, all indicating adm...
CVE-2021-31746
CVE-2021-31746 affects Pluck-CMS Pluck 4.7.15. The connected Red Hat, CNVD, OSV, NVD, CNVD and other records describe a Zip Slip vulnerability that allows uploading specially crafted zip files, causing directory traversal and potentially arbitrary code execution. The core details in the sources a...
CVE-2021-31747
CVE-2021-31747 : In Pluck 4.7.15, the code path update_applet.php omits SSL certificate validation, enabling potential man-in-the-middle attacks. Affected component is the update mechanism in Pluck-CMS; impact is limited to MITM risk described in multiple sources (e.g., NVD/Red Hat/CNVD entries)....
CVE-2021-27984
CVE-2021-27984 affects Pluck CMS, version 4.7.15. The vulnerability is a remote command execution flaw that occurs during file uploads in the admin background, caused by the admin backend not validating uploaded file content. Impact is described as arbitrary command execution on the server. The p...
CVE-2008-6253
Pluck 4.5.3 is affected by a directory traversal vulnerability in data/inc/lib/pcltar.lib.php when register_globals is enabled. The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the g_pcltar_lib_dir parameter. No exploitation detai...
CVE-2018-16729
Pluck CMS 4.7.7 is vulnerable to cross-site scripting via an SVG file containing Javascript in a SCRIPT element, uploaded through pages->manage under admin.php?action=files. The flaw is caused by how SVGs are handled, enabling XSS. Exploitation details are not provided in the documents; no pat...
CVE-2019-9048
CVE-2019-9048 affects Pluck CMS (reported for version 4.7.9-dev1). The vulnerability is a Cross-Site Request Forgery (CSRF) that allows an attacker to delete a theme (topic) via /admin.php?action=theme_delete&var1=. The description confirms the underlying flaw is CSRF; no additional exploitation ...
CVE-2019-9049
CVE-2019-9049 affects Pluck 4.7.9-dev1. The issue is a CSRF vulnerability that allows deletion of modules via the URI /admin.php?action=module_delete&var1=, as described across NVD/CNVD/OSV records. The connected documents consistently identify the vulnerable component and the underlying action, ...
CVE-2012-1227
The CVE-2012-1227 entry describes CSRF vulnerabilities in pluck 4.7 (admin.php) that could allow an attacker to hijack admin sessions by performing actions such as (1) changing the admin email address, (2) changing the blog title via a settings action, (3) adding a page via editpage, or (4) addin...
CVE-2014-8708
Pluck CMS 4.7.2 is affected. A remote attacker can execute arbitrary code via the blog form feature, as reported by multiple sources (NVD/CNVD equivalents). Root cause details are not explicitly described in the provided documents beyond the blog form vector. No remediation or patch information i...
CVE-2018-16633
Pluck v4.7.7 contains a cross-site scripting (XSS) vulnerability that can be triggered via the page title when editing a page (admin.php?action=editpage&page=...). The underlying issue is a lack of proper sanitization/escaping for the title parameter, enabling injection of malicious scripts. The ...
CVE-2020-24740
CVE-2020-24740 affects Pluck 4.7.10-dev2. The issue is a CSRF vulnerability that allows an attacker to edit a page through the endpoint /admin.php?action=editpage. The description and connected records confirm this CSC vulnerability in Pluck, with CVSS v3.1 base score 4.3 (Medium) and no exploita...
CVE-2014-8707
Summary: CVE-2014-8707 is a cross-site scripting (XSS) vulnerability in TinyMCE within Pluck CMS version 4.7.2. The flaw allows remote authenticated users to inject arbitrary script/HTML via the TinyMCE “edit HTML source” option. The connected CNVD entry for Pluck CMS confirms a TinyMCE XSS issue...
CVE-2025-46099
CVE-2025-46099 affects Pluck CMS 4.7.20-dev. An authenticated attacker can upload or create a crafted PHP file in the albums module directory and access it via the albums.site.php routing logic, enabling arbitrary command execution through a GET parameter. Root cause: flaw in the module routing l...