cbcvebase.
CVE-2022-26965
published 2022-03-18

CVE-2022-26965: In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.

PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
37.72%
98.4th percentile
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
pluck-cmspluck

Detection & IOCsextracted from sources · hover to see the quote

url/admin.php?action=themeinstall
path/data/themes/shell/shell.php
filenameshell.tar
filenameshell.php
url/login.php
  • Monitor POST requests to /admin.php?action=themeinstall — this is the specific endpoint abused for theme-based RCE upload.
  • Alert on creation or access of PHP files under /data/themes/ — the exploit drops a webshell at /data/themes/shell/shell.php after uploading a malicious .tar archive.
  • Detect multipart uploads to /admin.php?action=themeinstall using the hardcoded boundary '----WebKitFormBoundaryH7Ak5WhirAIQ8o1L', which is a static exploit artifact.
  • Flag .tar file uploads to the theme install endpoint — the exploit packages the webshell as shell.tar for delivery.
  • The exploit uses a static sec-ch-ua header value '" Not A;Brand";v="99", "Chromium";v="90"' which can serve as a network signature for this specific PoC.
  • ·Exploitation requires valid admin credentials — this is an authenticated RCE. Unauthenticated access to the theme upload endpoint is not possible without prior credential compromise.
  • ·The exploit authenticates via /login.php before uploading; detection logic should correlate a successful login event followed immediately by a POST to /admin.php?action=themeinstall.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.