Lucene search
K
Pluck-cmsPluck

43 matches found

CVE
CVE
added 2020/12/16 2:28 p.m.136 views

CVE-2020-29607

CVE-2020-29607 affects Pluck CMS prior to 4.7.13, where a file upload restriction bypass in the admin “manage files” functionality allows an authenticated admin to upload a payload and trigger remote code execution. Public references show an authenticated file-upload RCE exploit for Pluck 4.7.13 ...

7.2CVSS7.5AI score0.33428EPSS
Web
CVE
CVE
added 2022/03/18 6:33 a.m.118 views

CVE-2022-26965

CVE-2022-26965 – Pluck CMS 4.7.16 RCE via theme upload : The connected sources confirm a remote code execution vulnerability in Pluck CMS 4.7.16, exploitable by an authenticated admin using the theme upload functionality at /admin.php?action=themeinstall. The NVD entry lists CVSS v3.1 base score ...

7.2CVSS7.3AI score0.37716EPSS
CVE
CVE
added 2022/03/29 11:24 p.m.115 views

CVE-2022-27432

CVE-2022-27432 (Pluck CMS 4.7.15) —A Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to change passwords for arbitrary users, enabling account takeover. Affected: Pluck CMS, version 4.7.15. Root cause: CSRF vulnerability as described in the vulnerability entry. Impact: account ...

8.8CVSS8.8AI score0.00554EPSS
CVE
CVE
added 2023/12/14 12:0 a.m.92 views

CVE-2023-50564

CVE-2023-50564 is an authenticated arbitrary file upload vulnerability in Pluck-CMS v4.7.18. The weakness exists in the ZIP upload flow (notably the component paths like /inc/modules_install.php and endpoints such as /admin.php?action=installmodule) that allows an attacker with valid credentials ...

8.8CVSS8.8AI score0.29069EPSS
Web
CVE
CVE
added 2022/04/12 11:32 p.m.83 views

CVE-2022-26589

CVE-2022-26589 is a CSRF vulnerability in Pluck CMS v4.7.15 that allows an attacker to delete arbitrary pages. The issue is described across multiple feeds as a Cross-Site Request Forgery affecting Pluck CMS, with the core impact being unauthorized page deletion. The public records do not provide...

6.5CVSS6.5AI score0.00469EPSS
CVE
CVE
added 2023/03/27 4:35 p.m.79 views

CVE-2023-25828

Pluck CMS (authenticated) is vulnerable to remote code execution via the albums module. A lack of file extension validation allows uploading a crafted JPEG payload containing an embedded PHP web-shell, which an authenticated admin can access to achieve RCE on the web server. Affected: Pluck CMS a...

7.2CVSS7.4AI score0.01564EPSS
CVE
CVE
added 2021/05/17 9:1 p.m.77 views

CVE-2020-18198

Pluck CMS 4.7.9 contains a Cross-Site Request Forgery vulnerability in the admin images component (/admin.php?action=images) that allows remote attackers to execute arbitrary code and delete specific images. Root cause: CSRF in the images management workflow. Exploitation status and mitigation st...

8.8CVSS9.1AI score0.00932EPSS
CVE
CVE
added 2021/05/17 9:1 p.m.74 views

CVE-2020-18195

Pluck CMS v4.7.9 is affected by a Cross-Site Request Forgery (CSRF) vulnerability that allows remote attackers to execute arbitrary code and delete a specific article via the component /admin.php?action=page. Root cause is CSRF in the admin flow. No exploit vectors, practical exploit details, or ...

8.8CVSS9.1AI score0.00932EPSS
CVE
CVE
added 2024/08/16 12:0 a.m.70 views

CVE-2024-43042

CVE-2024-43042 affects Pluck CMS 4.7.18: the login subsystem does not limit failed attempts, enabling brute-force-style access attempts over the network. Public sources in the connected documents corroborate the issue's existence and classify it as high severity (CVSSv3.1: 9.8, Confidentiality, I...

9.8CVSS6.9AI score0.00632EPSS
CVE
CVE
added 2023/06/26 12:0 a.m.62 views

CVE-2023-27082

Pluck CMS is affected in versions 4.7.15 through 4.7.16-dev4 by a Cross Site Scripting (XSS) vulnerability in the /admin.php endpoint. The issue allows remote attackers to cause behavior by uploading a crafted HTML file, potentially enabling arbitrary code execution as described in the CVE-2023-2...

4.8CVSS5.1AI score0.00592EPSS
CVE
CVE
added 2009/05/22 6:0 p.m.57 views

CVE-2009-1765

Pluck CMS 4.6.2 contains multiple directory traversal/LFI vulnerabilities. When register_globals is enabled, an attacker can cause PHP to include and execute local files via the langpref parameter to data/modules/contactform/module_info.php, data/modules/blog/module_info.php, or data/modules/albu...

6.8CVSS7.2AI score0.15028EPSS
Web
CVE
CVE
added 2023/06/20 12:0 a.m.55 views

CVE-2020-20969

CVE-2020-20969 affects PluckCMS v4.7.10. An arbitrary file upload vulnerability in trashcan_restoreitem.php enables remote code execution (as per multiple sources), with PoCs noting an authenticated-admin requirement in some demonstrations. The vulnerability is consistently described as a file up...

7.2CVSS7.2AI score0.06258EPSS
Web
CVE
CVE
added 2009/07/02 10:0 a.m.53 views

CVE-2008-6842

CVE-2008-6842 affects Pluck 4.6.1, specifically the file data/modules/blog/module_pages_site.php. The vulnerability is a directory traversal in the post parameter (..), allowing remote attackers to include and execute arbitrary local files. The available sources confirm the affected software and ...

6.8CVSS7.3AI score0.01857EPSS
Web
CVE
CVE
added 2018/06/05 6:0 a.m.53 views

CVE-2018-11736

Pluck before 4.7.7-dev2 is affected by a remote code execution in /data/inc/images.php. An attacker can upload an image/jpeg/.htaccess file to execute arbitrary PHP code, leading to full compromise of affected hosts. The issue is mitigated by upgrading to Pluck 4.7.7-dev2 or applying the fixed re...

9.8CVSS9.7AI score0.08573EPSS
Web
CVE
CVE
added 2020/09/30 3:39 p.m.53 views

CVE-2020-21564

CVE-2020-21564 concerns Pluck CMS versions 4.7.10-dev2 and 4.7.11, where a file upload vulnerability can lead to remote command execution via the endpoint admin.php?action=files. The sources provided describe the vulnerability but do not specify additional technical details, exploit status, affec...

8.8CVSS8.8AI score0.03455EPSS
CVE
CVE
added 2023/06/20 12:0 a.m.50 views

CVE-2020-20919

Pluck CMS 4.7.10-dev2 is affected by a file upload vulnerability in theme.php that enables remote code execution and access to sensitive information. The issue is described for Pluck CMS and is classified with high impact (C/H, I/H, A/H) under CVSSv3.1 with AV:N, AC:L, PR:H, UI:N, S:U, affecting ...

7.2CVSS7.2AI score0.01256EPSS
CVE
CVE
added 2023/06/22 12:0 a.m.47 views

CVE-2023-27083

Pluck CMS 4.7.15–4.7.16-dev5 has a remote code execution vulnerability in /admin.php via the manage file functionality. The root cause is likely improper handling of file management in admin.php, enabling arbitrary code execution by an attacker who can access this feature. Documents consistently ...

7.2CVSS7.2AI score0.0121EPSS
CVE
CVE
added 2019/04/19 6:20 p.m.46 views

CVE-2019-11344

CVE-2019-11344 affects Pluck 4.7.8 where data/inc/files.php allows remote code execution by uploading a .htaccess that sets SetHandler x-httpd-php for a .txt file, bypassing blocked PHP-related filename extensions. This is documented across multiple feeds (NVD, Red Hat, OSV, CVE lists). Root caus...

9.8CVSS9.7AI score0.03574EPSS
CVE
CVE
added 2021/12/10 5:40 p.m.46 views

CVE-2021-31745

CVE-2021-31745 affects Pluck-CMS (Pluck 4.7.15). A session-fixation vulnerability in login.php allows an attacker to sustain unauthorized access because prior sessions are not invalidated after a password change. The available documents describe the issue and do not specify a patch version or con...

7.5CVSS7.4AI score0.01202EPSS
CVE
CVE
added 2023/09/16 11:0 p.m.46 views

CVE-2023-5013

Pluck CMS 4.7.18 is affected by a cross-site scripting vulnerability in the Installation Handler’s install.php. The issue arises from manipulating the contents argument to inject , allowing remote execution of XSS with low attack complexity according to the sources. Exploitation has been publiciz...

5.4CVSS4.3AI score0.00511EPSS
CVE
CVE
added 2018/02/18 3:0 a.m.45 views

CVE-2018-7197

CVE-2018-7197 affects Pluck up to version 4.7.4. It is a stored XSS vulnerability in the admin/blog Reaction Comments path that allows remote, unauthenticated users to inject arbitrary web script or HTML via a crafted URL. The connected documents confirm the issue and its exploitation vector but ...

6.1CVSS5.8AI score0.01416EPSS
CVE
CVE
added 2019/02/23 7:0 p.m.45 views

CVE-2019-9051

The CVE-2019-9051 entry concerns Pluck CMS 4.7.9-dev1 and describes a CSRF vulnerability that enables deleting articles via the URI /admin.php?action=deletepage&var1=. Public sources in connected documents (CNVD-2019-05782, OSV/NVD entries) confirm the vulnerable component as Pluck 4.7.9-dev1 and...

6.5CVSS6.4AI score0.00556EPSS
CVE
CVE
added 2021/05/18 3:32 p.m.45 views

CVE-2020-20951

Pluck 4.7.10-dev2 is affected by a remote command execution vulnerability in the admin background during file uploads. The issue is documented across multiple sources (e.g., PT-2021-10562) without specific CVE root-cause details in the connected set, and no official patch version is provided in t...

9.8CVSS9.5AI score0.04028EPSS
CVE
CVE
added 2017/03/17 2:0 p.m.44 views

CVE-2014-8706

CVE-2014-8706 affects Pluck CMS 4.7.2 and is an information disclosure issue. The vulnerability occurs when a remote attacker can cause PHPSESSID to be treated as an array or altered with non-alphanumeric characters, or manipulate the image parameter to an array or string, which results in an err...

5.3CVSS5.1AI score0.01115EPSS
CVE
CVE
added 2018/12/04 4:0 p.m.44 views

CVE-2018-16634

The vulnerability CVE-2018-16634 affects the Pluck CMS v4.7.7. A Cross-Site Request Forgery (CSRF) exists that allows an attacker to perform unauthorized actions via admin.php?action=settings, such as changing site name and email parameters. This is documented in CNVD-2018-25041 (Pluck CSRF vulne...

8.8CVSS8.7AI score0.00523EPSS
CVE
CVE
added 2019/02/23 7:0 p.m.44 views

CVE-2019-9052

Pluck CMS 4.7.9-dev1 is affected by a CSRF vulnerability that enables an attacker to delete images via the URI /admin.php?action=deleteimage&var1=. This is documented across multiple sources (e.g., CVE-2019-9052, CNVD-2019-05783) indicating an unauthenticated or cross-site request scenario where ...

6.5CVSS6.4AI score0.00556EPSS
CVE
CVE
added 2023/06/20 12:0 a.m.44 views

CVE-2020-20918

The CVE-2020-20918 entry affects Pluck CMS v4.7.10-dev2, where a vulnerability in the hidden parameter of admin.php during page editing allows a remote attacker to execute arbitrary PHP code. The risk is described as remote, no user interaction, with high impact to confidentiality, integrity, and...

7.2CVSS7.2AI score0.01137EPSS
CVE
CVE
added 2018/05/21 9:0 p.m.43 views

CVE-2018-11330

Pluck CMS (before 4.7.6) is affected by an authenticated stored XSS vulnerability due to improper restriction of the character set for filenames. This is consistently reported across CVE-2018-11330 entries in NVD, Red Hat, CNVD, OSV, and related records. No exploit details or remediation version ...

4.8CVSS4.7AI score0.00653EPSS
CVE
CVE
added 2018/05/21 9:0 p.m.43 views

CVE-2018-11331

Pluck CMS before 4.7.6 is affected: the upload restrictions do not cover certain filetypes (e.g., .phtml, .htaccess), enabling remote PHP code execution. Affected: Pluck before 4.7.6. Root cause: incomplete disallowed-filetypes list. Impact: remote code execution with potential high impact as per...

9.8CVSS9.8AI score0.02263EPSS
CVE
CVE
added 2019/02/23 7:0 p.m.43 views

CVE-2019-9050

Pluck 4.7.9-dev1 is vulnerable to arbitrary code execution via the ZIP upload path using action=installmodule, where the uploaded ZIP is extracted and its contents executed. The issue is documented across CVE-2019-9050 entries (NVD/CVE, CNVD, OSV, CVE List) and related records, all indicating adm...

7.2CVSS7.3AI score0.02031EPSS
CVE
CVE
added 2021/12/10 5:45 p.m.43 views

CVE-2021-31746

CVE-2021-31746 affects Pluck-CMS Pluck 4.7.15. The connected Red Hat, CNVD, OSV, NVD, CNVD and other records describe a Zip Slip vulnerability that allows uploading specially crafted zip files, causing directory traversal and potentially arbitrary code execution. The core details in the sources a...

9.8CVSS9.7AI score0.02421EPSS
CVE
CVE
added 2021/12/10 6:4 p.m.43 views

CVE-2021-31747

CVE-2021-31747 : In Pluck 4.7.15, the code path update_applet.php omits SSL certificate validation, enabling potential man-in-the-middle attacks. Affected component is the update mechanism in Pluck-CMS; impact is limited to MITM risk described in multiple sources (e.g., NVD/Red Hat/CNVD entries)....

5.8CVSS5AI score0.0034EPSS
CVE
CVE
added 2021/12/10 6:40 p.m.41 views

CVE-2021-27984

CVE-2021-27984 affects Pluck CMS, version 4.7.15. The vulnerability is a remote command execution flaw that occurs during file uploads in the admin background, caused by the admin backend not validating uploaded file content. Impact is described as arbitrary command execution on the server. The p...

8.1CVSS8.1AI score0.02529EPSS
CVE
CVE
added 2009/02/24 6:0 p.m.40 views

CVE-2008-6253

Pluck 4.5.3 is affected by a directory traversal vulnerability in data/inc/lib/pcltar.lib.php when register_globals is enabled. The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the g_pcltar_lib_dir parameter. No exploitation detai...

6.8CVSS7.4AI score0.04963EPSS
Web
CVE
CVE
added 2018/09/12 4:0 p.m.40 views

CVE-2018-16729

Pluck CMS 4.7.7 is vulnerable to cross-site scripting via an SVG file containing Javascript in a SCRIPT element, uploaded through pages->manage under admin.php?action=files. The flaw is caused by how SVGs are handled, enabling XSS. Exploitation details are not provided in the documents; no pat...

5.4CVSS5.2AI score0.00625EPSS
CVE
CVE
added 2019/02/23 7:0 p.m.40 views

CVE-2019-9048

CVE-2019-9048 affects Pluck CMS (reported for version 4.7.9-dev1). The vulnerability is a Cross-Site Request Forgery (CSRF) that allows an attacker to delete a theme (topic) via /admin.php?action=theme_delete&var1=. The description confirms the underlying flaw is CSRF; no additional exploitation ...

6.5CVSS6.4AI score0.00556EPSS
CVE
CVE
added 2019/02/23 7:0 p.m.40 views

CVE-2019-9049

CVE-2019-9049 affects Pluck 4.7.9-dev1. The issue is a CSRF vulnerability that allows deletion of modules via the URI /admin.php?action=module_delete&var1=, as described across NVD/CNVD/OSV records. The connected documents consistently identify the vulnerable component and the underlying action, ...

6.5CVSS6.4AI score0.00556EPSS
CVE
CVE
added 2012/02/21 12:0 a.m.39 views

CVE-2012-1227

The CVE-2012-1227 entry describes CSRF vulnerabilities in pluck 4.7 (admin.php) that could allow an attacker to hijack admin sessions by performing actions such as (1) changing the admin email address, (2) changing the blog title via a settings action, (3) adding a page via editpage, or (4) addin...

6.8CVSS7.4AI score0.00682EPSS
CVE
CVE
added 2017/03/17 2:0 p.m.38 views

CVE-2014-8708

Pluck CMS 4.7.2 is affected. A remote attacker can execute arbitrary code via the blog form feature, as reported by multiple sources (NVD/CNVD equivalents). Root cause details are not explicitly described in the provided documents beyond the blog form vector. No remediation or patch information i...

9.8CVSS9.7AI score0.02954EPSS
CVE
CVE
added 2018/12/04 4:0 p.m.38 views

CVE-2018-16633

Pluck v4.7.7 contains a cross-site scripting (XSS) vulnerability that can be triggered via the page title when editing a page (admin.php?action=editpage&page=...). The underlying issue is a lack of proper sanitization/escaping for the title parameter, enabling injection of malicious scripts. The ...

5.4CVSS5.2AI score0.0057EPSS
CVE
CVE
added 2021/05/18 3:28 p.m.36 views

CVE-2020-24740

CVE-2020-24740 affects Pluck 4.7.10-dev2. The issue is a CSRF vulnerability that allows an attacker to edit a page through the endpoint /admin.php?action=editpage. The description and connected records confirm this CSC vulnerability in Pluck, with CVSS v3.1 base score 4.3 (Medium) and no exploita...

4.3CVSS4.6AI score0.00403EPSS
CVE
CVE
added 2017/03/17 2:0 p.m.35 views

CVE-2014-8707

Summary: CVE-2014-8707 is a cross-site scripting (XSS) vulnerability in TinyMCE within Pluck CMS version 4.7.2. The flaw allows remote authenticated users to inject arbitrary script/HTML via the TinyMCE “edit HTML source” option. The connected CNVD entry for Pluck CMS confirms a TinyMCE XSS issue...

5.4CVSS5AI score0.00661EPSS
CVE
CVE
added 2025/07/23 12:0 a.m.23 views

CVE-2025-46099

CVE-2025-46099 affects Pluck CMS 4.7.20-dev. An authenticated attacker can upload or create a crafted PHP file in the albums module directory and access it via the albums.site.php routing logic, enabling arbitrary command execution through a GET parameter. Root cause: flaw in the module routing l...

7.2CVSS6.9AI score0.00464EPSS