CVE-2022-26965
published 2022-03-18CVE-2022-26965: In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.
PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
37.72%
98.4th percentile
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pluck-cms | pluck | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /admin.php?action=themeinstall — this is the specific endpoint abused for theme-based RCE upload. ↗
- →Alert on creation or access of PHP files under /data/themes/ — the exploit drops a webshell at /data/themes/shell/shell.php after uploading a malicious .tar archive. ↗
- →Detect multipart uploads to /admin.php?action=themeinstall using the hardcoded boundary '----WebKitFormBoundaryH7Ak5WhirAIQ8o1L', which is a static exploit artifact. ↗
- →Flag .tar file uploads to the theme install endpoint — the exploit packages the webshell as shell.tar for delivery. ↗
- →The exploit uses a static sec-ch-ua header value '" Not A;Brand";v="99", "Chromium";v="90"' which can serve as a network signature for this specific PoC. ↗
- ·Exploitation requires valid admin credentials — this is an authenticated RCE. Unauthenticated access to the theme upload endpoint is not possible without prior credential compromise. ↗
- ·The exploit authenticates via /login.php before uploading; detection logic should correlate a successful login event followed immediately by a POST to /admin.php?action=themeinstall. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2022-03-18
Published