Skip to main content

Pluck

33 CVEs product

Monthly

CVE-2025-46099 HIGH This Week

Arbitrary command execution in Pluck CMS 4.7.20-dev lets an authenticated administrator upload a crafted PHP file into the albums module directory and then invoke it through the routing logic in albums.site.php, passing OS commands via a GET parameter. The flaw stems from unrestricted file upload (CWE-434) combined with the module directory being directly web-accessible and PHP-executable, turning legitimate album management into a code-execution primitive. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, with a low EPSS probability of 0.51% (40th percentile).

PHP File Upload Pluck
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2024-43042 CRITICAL POC Act Now

Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Pluck
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2023-50564 HIGH POC THREAT This Week

An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload PHP Pluck
NVD GitHub
CVSS 3.1
8.8
EPSS
29.1%
CVE-2023-5013 MEDIUM POC This Month

A vulnerability has been found in Pluck CMS 4.7.18 and classified as problematic. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Pluck
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-27082 MEDIUM This Month

Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP RCE XSS Pluck
NVD
CVSS 3.1
4.8
EPSS
0.6%
CVE-2023-27083 HIGH This Week

An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload PHP Pluck
NVD
CVSS 3.1
7.2
EPSS
1.2%
CVE-2023-25828 HIGH PATCH This Week

Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE File Upload PHP Pluck
NVD
CVSS 3.1
7.2
EPSS
1.6%
CVE-2022-26589 MEDIUM This Month

A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Pluck
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-27432 HIGH POC This Week

A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Pluck
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-26965 HIGH POC THREAT This Week

In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload Pluck
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
37.7%
CVE-2021-31747 MEDIUM This Month

Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

PHP Information Disclosure Pluck
NVD GitHub
CVSS 3.1
4.8
EPSS
0.3%
CVE-2021-27984 HIGH POC This Week

In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

File Upload Pluck
NVD GitHub
CVSS 3.1
8.1
EPSS
2.5%
CVE-2021-31746 CRITICAL POC Act Now

Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Pluck
NVD GitHub
CVSS 3.1
9.8
EPSS
2.4%
CVE-2021-31745 HIGH POC This Week

Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Session Fixation Authentication Bypass Pluck
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-29607 HIGH POC THREAT This Week

A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Pluck
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
33.4%
CVE-2020-21564 HIGH POC This Week

An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Pluck
NVD GitHub
CVSS 3.1
8.8
EPSS
3.5%
CVE-2019-11344 CRITICAL POC Act Now

data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies SetHandler x-httpd-php for a .txt file, because only certain. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload RCE Pluck
NVD GitHub
CVSS 3.0
9.8
EPSS
3.6%
CVE-2019-9052 MEDIUM POC This Month

An issue was discovered in Pluck 4.7.9-dev1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Pluck
NVD GitHub
CVSS 3.0
6.5
EPSS
0.6%
CVE-2019-9051 MEDIUM POC This Month

An issue was discovered in Pluck 4.7.9-dev1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Pluck
NVD GitHub
CVSS 3.0
6.5
EPSS
0.6%
CVE-2019-9050 HIGH POC This Week

An issue was discovered in Pluck 4.7.9-dev1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Pluck
NVD GitHub
CVSS 3.0
7.2
EPSS
2.0%
CVE-2019-9049 MEDIUM POC This Month

An issue was discovered in Pluck 4.7.9-dev1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Pluck
NVD GitHub
CVSS 3.0
6.5
EPSS
0.6%
CVE-2019-9048 MEDIUM POC This Month

An issue was discovered in Pluck 4.7.9-dev1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Pluck
NVD GitHub
CVSS 3.0
6.5
EPSS
0.6%
CVE-2018-16634 HIGH POC This Week

Pluck v4.7.7 allows CSRF via admin.php?action=settings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Pluck
NVD GitHub
CVSS 3.0
8.8
EPSS
0.5%
CVE-2018-16633 MEDIUM POC This Month

Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Pluck
NVD GitHub
CVSS 3.0
5.4
EPSS
0.6%
CVE-2018-16729 MEDIUM POC This Month

Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under admin.php?action=files. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Pluck
NVD GitHub
CVSS 3.0
5.4
EPSS
0.6%
CVE-2018-11736 CRITICAL POC Act Now

An issue was discovered in Pluck before 4.7.7-dev2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Pluck
NVD GitHub Exploit-DB
CVSS 3.0
9.8
EPSS
8.6%
CVE-2018-11331 CRITICAL PATCH Act Now

An issue was discovered in Pluck before 4.7.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload RCE PHP Pluck
NVD GitHub
CVSS 3.0
9.8
EPSS
2.3%
CVE-2018-11330 MEDIUM PATCH This Month

An issue was discovered in Pluck before 4.7.6. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Pluck
NVD GitHub
CVSS 3.0
4.8
EPSS
0.7%
CVE-2018-7197 MEDIUM POC This Month

An issue was discovered in Pluck through 4.7.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pluck
NVD GitHub
CVSS 3.0
6.1
EPSS
1.4%
CVE-2014-8708 CRITICAL POC Act Now

Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via the blog form feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Privilege Escalation Pluck
NVD
CVSS 3.0
9.8
EPSS
2.7%
CVE-2014-8707 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in TinyMCE in Pluck CMS 4.7.2 allows remote authenticated users to inject arbitrary web script or HTML via the "edit HTML source" option. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pluck
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2014-8706 MEDIUM POC This Month

Pluck CMS 4.7.2 allows remote attackers to obtain sensitive information by (1) changing "PHPSESSID" to an array; (2) adding non-alphanumeric chars to "PHPSESSID"; (3) changing the image parameter to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Pluck
NVD
CVSS 3.0
5.3
EPSS
0.2%
CVE-2012-1227 MEDIUM POC This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in pluck 4.7 allow remote attackers to hijack the authentication of admins for requests that (1) modify the admin email address. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF PHP Pluck
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
0.1%
EPSS 1% CVSS 7.2
HIGH This Week

Arbitrary command execution in Pluck CMS 4.7.20-dev lets an authenticated administrator upload a crafted PHP file into the albums module directory and then invoke it through the routing logic in albums.site.php, passing OS commands via a GET parameter. The flaw stems from unrestricted file upload (CWE-434) combined with the module directory being directly web-accessible and PHP-executable, turning legitimate album management into a code-execution primitive. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, with a low EPSS probability of 0.51% (40th percentile).

PHP File Upload Pluck
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Pluck
NVD GitHub
EPSS 29% CVSS 8.8
HIGH POC THREAT This Week

An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload PHP +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

A vulnerability has been found in Pluck CMS 4.7.18 and classified as problematic. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Pluck
NVD GitHub VulDB
EPSS 1% CVSS 4.8
MEDIUM This Month

Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP RCE XSS +1
NVD
EPSS 1% CVSS 7.2
HIGH This Week

An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload PHP +1
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE File Upload PHP +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Pluck
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Pluck
NVD Exploit-DB
EPSS 38% CVSS 7.2
HIGH POC THREAT This Week

In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload +1
NVD Exploit-DB
EPSS 0% CVSS 4.8
MEDIUM This Month

Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

PHP Information Disclosure Pluck
NVD GitHub
EPSS 3% CVSS 8.1
HIGH POC This Week

In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

File Upload Pluck
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Pluck
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Session Fixation Authentication Bypass +1
NVD GitHub
EPSS 33% CVSS 7.2
HIGH POC THREAT This Week

A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Pluck
NVD GitHub Exploit-DB
EPSS 3% CVSS 8.8
HIGH POC This Week

An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Pluck
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies SetHandler x-httpd-php for a .txt file, because only certain. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload RCE +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

An issue was discovered in Pluck 4.7.9-dev1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Pluck
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

An issue was discovered in Pluck 4.7.9-dev1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Pluck
NVD GitHub
EPSS 2% CVSS 7.2
HIGH POC This Week

An issue was discovered in Pluck 4.7.9-dev1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Pluck
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

An issue was discovered in Pluck 4.7.9-dev1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Pluck
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

An issue was discovered in Pluck 4.7.9-dev1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Pluck
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

Pluck v4.7.7 allows CSRF via admin.php?action=settings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Pluck
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Pluck
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under admin.php?action=files. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Pluck
NVD GitHub
EPSS 9% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in Pluck before 4.7.7-dev2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Pluck
NVD GitHub Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in Pluck before 4.7.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload RCE PHP +1
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

An issue was discovered in Pluck before 4.7.6. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Pluck
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

An issue was discovered in Pluck through 4.7.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pluck
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via the blog form feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Privilege Escalation Pluck
NVD
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in TinyMCE in Pluck CMS 4.7.2 allows remote authenticated users to inject arbitrary web script or HTML via the "edit HTML source" option. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pluck
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Pluck CMS 4.7.2 allows remote attackers to obtain sensitive information by (1) changing "PHPSESSID" to an array; (2) adding non-alphanumeric chars to "PHPSESSID"; (3) changing the image parameter to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Pluck
NVD
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in pluck 4.7 allow remote attackers to hijack the authentication of admins for requests that (1) modify the admin email address. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF PHP Pluck
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy