Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
245066.9%CRITICAL

Related CVEs

45
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2025-46099In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting in arbitrary command execution through a GET parameter.HIGH7.239.3%Jul 23, 2025
CVE-2024-43042Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack.CRITICAL9.845.7%Aug 16, 2024
CVE-2023-50564An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file.HIGH8.897.9%Dec 14, 2023
CVE-2023-5013A vulnerability has been found in Pluck CMS 4.7.18 and classified as problematic. This vulnerability affects unknown code of the file install.php of the component Installation Handler. The manipulation of the argument contents with the input <script>alert('xss')</script> leads to cross site scripting. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-239854 is the identifier assigned to this vulnerability.MEDIUM5.439.7%Sep 16, 2023
CVE-2023-27082Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file.MEDIUM4.8Jun 26, 2023
CVE-2023-27083An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality.HIGH7.2Jun 22, 2023
CVE-2020-20969File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file.HIGH7.292.7%Jun 20, 2023
CVE-2020-20919File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information via the theme.php file.HIGH7.265.8%Jun 20, 2023
CVE-2020-20918An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to admin.php when editing a page.HIGH7.262.5%Jun 20, 2023
CVE-2020-20718File Upload vulnerability in PluckCMS v.4.7.10 dev versions allows a remote attacker to execute arbitrary code via a crafted image file to the the save_file() parameter.CRITICAL9.867.1%Jun 20, 2023
CVE-2023-25828 Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are used to create collections of images that can be inserted into web pages across the site. Albums allow the upload of various filetypes, which undergo a normalization process before being available on the site. Due to lack of file extension validation, it is possible to upload a crafted JPEG payload containing an embedded PHP web-shell. An attacker may navigate to it directly to achieve RCE on the underlying web server. Administrator credentials for the Pluck CMS web interface are required to access the albums module feature, and are thus required to exploit this vulnerability. CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C (8.2 High) HIGH7.272.2%Mar 27, 2023
CVE-2022-26589A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages.MEDIUM6.5Apr 13, 2022
CVE-2022-27432A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover.HIGH8.8Mar 30, 2022
CVE-2022-26965In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.HIGH7.2Mar 18, 2022
CVE-2021-31747Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks.MEDIUM4.8Dec 10, 2021
CVE-2021-27984In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files.HIGH8.1Dec 10, 2021
CVE-2021-31746Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arbitrary code execution.CRITICAL9.8Dec 10, 2021
CVE-2021-31745Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password.HIGH7.5Dec 10, 2021
CVE-2020-24740An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpageMEDIUM4.332.1%May 18, 2021
CVE-2020-20951In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files.CRITICAL9.889.3%May 18, 2021