Pluck-Cms Pluck vulnerabilities
43 known vulnerabilities affecting pluck-cms/pluck.
Total CVEs
43
CISA KEV
0
Public exploits
7
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH17MEDIUM19
Vulnerabilities
Page 1 of 3
CVE-2018-11736P2CRITICALCVSS 9.8PoC≤ 4.7.7v4.7.72018-06-05
CVE-2018-11736 [CRITICAL] CWE-434 CVE-2018-11736: An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file.
nvd
CVE-2020-29607P2HIGHCVSS 7.2PoCfixed in 4.7.132020-12-16
CVE-2020-29607 [HIGH] CWE-434 CVE-2020-29607: A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged
A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution.
nvd
CVE-2022-26965P2HIGHCVSS 7.2PoCv4.7.162022-03-18
CVE-2022-26965 [HIGH] CWE-434 CVE-2022-26965: In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinst
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.
nvd
CVE-2020-20969P3HIGHCVSS 7.2PoCv4.7.102023-06-20
CVE-2020-20969 [HIGH] CWE-434 CVE-2020-20969: File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code vi
File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file.
nvd
CVE-2023-50564P2HIGHCVSS 8.8v4.7.182023-12-14
CVE-2023-50564 [HIGH] CWE-434 CVE-2023-50564: An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.1
An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file.
nvd
CVE-2009-1765P3MEDIUMCVSS 6.8PoCv4.6.22009-05-22
CVE-2009-1765 [MEDIUM] CVE-2009-1765: Multiple directory traversal vulnerabilities in pluck 4.6.2, when register_globals is enabled, allow
Multiple directory traversal vulnerabilities in pluck 4.6.2, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the langpref parameter to (1) data/modules/contactform/module_info.php, (2) data/modules/blog/module_info.php, and (3) data/modules/albums/module_info.php, different vectors th
nvd
CVE-2008-6253P3MEDIUMCVSS 6.8PoCv4.5.32009-02-24
CVE-2008-6253 [MEDIUM] CWE-22 CVE-2008-6253: Directory traversal vulnerability in data/inc/lib/pcltar.lib.php in Pluck 4.5.3, when register_globa
Directory traversal vulnerability in data/inc/lib/pcltar.lib.php in Pluck 4.5.3, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the g_pcltar_lib_dir parameter.
nvd
CVE-2008-6842P3MEDIUMCVSS 6.8PoCv4.6.12009-07-02
CVE-2008-6842 [MEDIUM] CWE-22 CVE-2008-6842: Directory traversal vulnerability in data/modules/blog/module_pages_site.php in Pluck 4.6.1 allows r
Directory traversal vulnerability in data/modules/blog/module_pages_site.php in Pluck 4.6.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the post parameter.
nvd
CVE-2020-20951P2CRITICALCVSS 9.8v4.7.102021-05-18
CVE-2020-20951 [CRITICAL] CWE-77 CVE-2020-20951: In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploadin
In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files.
nvd
CVE-2019-11344P3CRITICALCVSS 9.8v4.7.82019-04-19
CVE-2019-11344 [CRITICAL] CWE-434 CVE-2019-11344: data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .
data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies SetHandler x-httpd-php for a .txt file, because only certain PHP-related filename extensions are blocked.
nvd
CVE-2014-8708P3CRITICALCVSS 9.8v4.7.22017-03-17
CVE-2014-8708 [CRITICAL] CWE-264 CVE-2014-8708: Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via the blog form feature.
Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via the blog form feature.
nvd
CVE-2020-21564P3HIGHCVSS 8.8v4.7.10v4.7.112020-09-30
CVE-2020-21564 [HIGH] CWE-434 CVE-2020-21564: An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. There is a file upload vulnerability th
An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. There is a file upload vulnerability that can cause a remote command execution via admin.php?action=files.
nvd
CVE-2024-43042P3CRITICALCVSS 9.8v4.7.182024-08-16
CVE-2024-43042 [CRITICAL] CWE-307 CVE-2024-43042: Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute forc
Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack.
nvd
CVE-2021-31746P3CRITICALCVSS 9.8v4.7.152021-12-10
CVE-2021-31746 [CRITICAL] CWE-22 CVE-2021-31746: Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip
Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arbitrary code execution.
nvd
CVE-2018-11331P3CRITICALCVSS 9.8fixed in 4.7.62018-05-21
CVE-2018-11331 [CRITICAL] CWE-434 CVE-2018-11331: An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
nvd
CVE-2021-27984P3HIGHCVSS 8.1v4.7.152021-12-10
CVE-2021-27984 [HIGH] CWE-434 CVE-2021-27984: In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading file
In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files.
nvd
CVE-2023-25828P3HIGHCVSS 7.2fixed in 4.7.16v4.7.162023-03-27
CVE-2023-25828 [HIGH] CWE-434 CVE-2023-25828: Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “
Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are used to create collections of images that can be inserted into web pages across the site. Albums allow the upload of various filetypes, which undergo a normalization process before being available on the site. Due to lack of fil
nvd
CVE-2025-46099P3HIGHCVSS 7.2v4.7.202025-07-23
CVE-2025-46099 [HIGH] CWE-434 CVE-2025-46099: In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the
In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting in arbitrary command execution through a GET parameter.
nvd
CVE-2021-31745P3HIGHCVSS 7.5v4.7.152021-12-10
CVE-2021-31745 [HIGH] CWE-384 CVE-2021-31745: Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain
Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password.
nvd
CVE-2019-9050P3HIGHCVSS 7.2v4.7.92019-02-23
CVE-2019-9050 [HIGH] CWE-434 CVE-2019-9050: An issue was discovered in Pluck 4.7.9-dev1. It allows administrators to execute arbitrary code by u
An issue was discovered in Pluck 4.7.9-dev1. It allows administrators to execute arbitrary code by using action=installmodule to upload a ZIP archive, which is then extracted and executed.
nvd
1 / 3Next →