Pluck Security Vulnerabilities and Issues — Pluck CVE List

Lucene search

Pluck-cmsPluck

7 matches found

CVE•added 2018/06/05 6:29 a.m.•35 views

CVE-2018-11736

An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file.

9.8CVSS9.7AI score0.00864EPSS

CVE•added 2018/12/04 4:29 p.m.•35 views

CVE-2018-16634

Pluck v4.7.7 allows CSRF via admin.php?action=settings.

8.8CVSS8.7AI score0.00141EPSS

CVE•added 2018/02/18 3:29 a.m.•35 views

CVE-2018-7197

An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to inject arbitrary web script or HTML into admin/blog Reaction Comments via a crafted URL.

6.1CVSS5.8AI score0.00384EPSS

CVE•added 2018/05/21 9:29 p.m.•32 views

CVE-2018-11330

An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.

4.8CVSS4.7AI score0.00265EPSS

CVE•added 2018/05/21 9:29 p.m.•32 views

CVE-2018-11331

An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.

9.8CVSS9.8AI score0.0078EPSS

CVE•added 2018/09/12 4:29 p.m.•29 views

CVE-2018-16729

Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under admin.php?action=files.

5.4CVSS5.2AI score0.00236EPSS

CVE•added 2018/12/04 4:29 p.m.•26 views

CVE-2018-16633

Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title.

5.4CVSS5.2AI score0.00206EPSS