Pluck-Cms Pluck vulnerabilities
43 known vulnerabilities affecting pluck-cms/pluck.
Total CVEs
43
CISA KEV
0
Public exploits
7
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH17MEDIUM19
Vulnerabilities
Page 2 of 3
CVE-2020-20919P3HIGHCVSS 7.2v4.7.102023-06-20
CVE-2020-20919 [HIGH] CWE-434 CVE-2020-20919: File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary c
File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information via the theme.php file.
nvd
CVE-2023-27083P3HIGHCVSS 7.2≥ 4.7.15, < 4.7.16v4.7.162023-06-22
CVE-2023-27083 [HIGH] CWE-434 CVE-2023-27083: An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to
An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality.
nvd
CVE-2020-20918P3HIGHCVSS 7.2v4.7.102023-06-20
CVE-2020-20918 [HIGH] CWE-94 CVE-2020-20918: An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php cod
An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to admin.php when editing a page.
nvd
CVE-2020-18198P3HIGHCVSS 8.8v4.7.92021-05-17
CVE-2020-18198 [HIGH] CWE-352 CVE-2020-18198: Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary c
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
nvd
CVE-2020-18195P3HIGHCVSS 8.8v4.7.92021-05-17
CVE-2020-18195 [HIGH] CWE-352 CVE-2020-18195: Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary c
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
nvd
CVE-2022-27432P3HIGHCVSS 8.8v4.7.152022-03-30
CVE-2022-27432 [HIGH] CWE-352 CVE-2022-27432: A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of
A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover.
nvd
CVE-2018-16634P4HIGHCVSS 8.8v4.7.72018-12-04
CVE-2018-16634 [HIGH] CWE-352 CVE-2018-16634: Pluck v4.7.7 allows CSRF via admin.php?action=settings.
Pluck v4.7.7 allows CSRF via admin.php?action=settings.
nvd
CVE-2023-5013P4MEDIUMCVSS 5.4v4.7.182023-09-16
CVE-2023-5013 [MEDIUM] CWE-79 CVE-2023-5013: A vulnerability has been found in Pluck CMS 4.7.18 and classified as problematic. This vulnerability
A vulnerability has been found in Pluck CMS 4.7.18 and classified as problematic. This vulnerability affects unknown code of the file install.php of the component Installation Handler. The manipulation of the argument contents with the input alert('xss') leads to cross site scripting. The attack can be initiated remotely. The complexity of an attack is
nvd
CVE-2019-9049P4MEDIUMCVSS 6.5v4.7.92019-02-23
CVE-2019-9049 [MEDIUM] CWE-352 CVE-2019-9049: An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete modules v
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete modules via a /admin.php?action=module_delete&var1= URI.
nvd
CVE-2019-9051P4MEDIUMCVSS 6.5v4.7.92019-02-23
CVE-2019-9051 [MEDIUM] CWE-352 CVE-2019-9051: An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles via a /admin.php?action=deletepage&var1= URI.
nvd
CVE-2019-9052P4MEDIUMCVSS 6.5v4.7.92019-02-23
CVE-2019-9052 [MEDIUM] CWE-352 CVE-2019-9052: An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=deleteimage&var1= URI.
nvd
CVE-2022-26589P4MEDIUMCVSS 6.5v4.7.152022-04-13
CVE-2022-26589 [MEDIUM] CWE-352 CVE-2022-26589: A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages.
A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages.
nvd
CVE-2018-7197P4MEDIUMCVSS 6.1≤ 4.7.42018-02-18
CVE-2018-7197 [MEDIUM] CWE-79 CVE-2018-7197: An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability al
An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to inject arbitrary web script or HTML into admin/blog Reaction Comments via a crafted URL.
nvd
CVE-2019-9048P4MEDIUMCVSS 6.5v4.7.92019-02-23
CVE-2019-9048 [MEDIUM] CWE-352 CVE-2019-9048: An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme (
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme (aka topic) via a /admin.php?action=theme_delete&var1= URI.
nvd
CVE-2012-1227P4MEDIUMCVSS 6.8v4.72012-02-21
CVE-2012-1227 [MEDIUM] CWE-352 CVE-2012-1227: Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in pluck 4.7 allow remote at
Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in pluck 4.7 allow remote attackers to hijack the authentication of admins for requests that (1) modify the admin email address or (2) modify the blog title via a settings action; (3) add a page via an editpage action, or (4) add a categorie via the blog module.
nvd
CVE-2018-16729P4MEDIUMCVSS 5.4v4.7.72018-09-12
CVE-2018-16729 [MEDIUM] CWE-79 CVE-2018-16729: Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded
Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under admin.php?action=files.
nvd
CVE-2014-8707P4MEDIUMCVSS 5.4v4.7.22017-03-17
CVE-2014-8707 [MEDIUM] CWE-79 CVE-2014-8707: Cross-site scripting (XSS) vulnerability in TinyMCE in Pluck CMS 4.7.2 allows remote authenticated u
Cross-site scripting (XSS) vulnerability in TinyMCE in Pluck CMS 4.7.2 allows remote authenticated users to inject arbitrary web script or HTML via the "edit HTML source" option.
nvd
CVE-2018-16633P4MEDIUMCVSS 5.4v4.7.72018-12-04
CVE-2018-16633 [MEDIUM] CWE-79 CVE-2018-16633: Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title.
Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title.
nvd
CVE-2021-31747P4MEDIUMCVSS 4.8v4.7.152021-12-10
CVE-2021-31747 [MEDIUM] CWE-295 CVE-2021-31747: Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could le
Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks.
nvd
CVE-2018-11330P4MEDIUMCVSS 4.8fixed in 4.7.62018-05-21
CVE-2018-11330 [MEDIUM] CWE-79 CVE-2018-11330: An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the charact
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
nvd