4 matches found
CVE-2020-29607
CVE-2020-29607 affects Pluck CMS prior to 4.7.13, where a file upload restriction bypass in the admin “manage files” functionality allows an authenticated admin to upload a payload and trigger remote code execution. Public references show an authenticated file-upload RCE exploit for Pluck 4.7.13 ...
CVE-2023-25828
Pluck CMS (authenticated) is vulnerable to remote code execution via the albums module. A lack of file extension validation allows uploading a crafted JPEG payload containing an embedded PHP web-shell, which an authenticated admin can access to achieve RCE on the web server. Affected: Pluck CMS a...
CVE-2018-11330
Pluck CMS (before 4.7.6) is affected by an authenticated stored XSS vulnerability due to improper restriction of the character set for filenames. This is consistently reported across CVE-2018-11330 entries in NVD, Red Hat, CNVD, OSV, and related records. No exploit details or remediation version ...
CVE-2018-11331
Pluck CMS before 4.7.6 is affected: the upload restrictions do not cover certain filetypes (e.g., .phtml, .htaccess), enabling remote PHP code execution. Affected: Pluck before 4.7.6. Root cause: incomplete disallowed-filetypes list. Impact: remote code execution with potential high impact as per...