Lucene search
K

4 matches found

CVE
CVE
added 2020/12/16 2:28 p.m.140 views

CVE-2020-29607

CVE-2020-29607 affects Pluck CMS prior to 4.7.13, where a file upload restriction bypass in the admin “manage files” functionality allows an authenticated admin to upload a payload and trigger remote code execution. Public references show an authenticated file-upload RCE exploit for Pluck 4.7.13 ...

7.2CVSS7.5AI score0.33428EPSS
Web
CVE
CVE
added 2023/03/27 4:35 p.m.82 views

CVE-2023-25828

Pluck CMS (authenticated) is vulnerable to remote code execution via the albums module. A lack of file extension validation allows uploading a crafted JPEG payload containing an embedded PHP web-shell, which an authenticated admin can access to achieve RCE on the web server. Affected: Pluck CMS a...

7.2CVSS7.4AI score0.01564EPSS
CVE
CVE
added 2018/05/21 9:0 p.m.43 views

CVE-2018-11330

Pluck CMS (before 4.7.6) is affected by an authenticated stored XSS vulnerability due to improper restriction of the character set for filenames. This is consistently reported across CVE-2018-11330 entries in NVD, Red Hat, CNVD, OSV, and related records. No exploit details or remediation version ...

4.8CVSS4.7AI score0.00653EPSS
CVE
CVE
added 2018/05/21 9:0 p.m.43 views

CVE-2018-11331

Pluck CMS before 4.7.6 is affected: the upload restrictions do not cover certain filetypes (e.g., .phtml, .htaccess), enabling remote PHP code execution. Affected: Pluck before 4.7.6. Root cause: incomplete disallowed-filetypes list. Impact: remote code execution with potential high impact as per...

9.8CVSS9.8AI score0.02263EPSS