CVE-2026-31205
- EPSS 0.28%
- Veröffentlicht 04.05.2026 14:16:32
- Zuletzt bearbeitet 05.05.2026 19:44:42
Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function
CVE-2025-46099
- EPSS 0.51%
- Veröffentlicht 23.07.2025 00:00:00
- Zuletzt bearbeitet 14.10.2025 14:10:12
In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting in arbitrary command execution through a GET paramet...
CVE-2024-9405
- EPSS 0.45%
- Veröffentlicht 01.10.2024 12:15:03
- Zuletzt bearbeitet 15.04.2026 00:35:42
An incorrect limitation of a path to a restricted directory (path traversal) has been detected in Pluck CMS, affecting version 4.7.18. An unauthenticated attacker could extract sensitive information from the server via the absolute path of a file loc...
CVE-2020-20718
- EPSS 1.31%
- Veröffentlicht 20.06.2023 15:15:10
- Zuletzt bearbeitet 10.12.2024 18:15:22
File Upload vulnerability in PluckCMS v.4.7.10 dev versions allows a remote attacker to execute arbitrary code via a crafted image file to the the save_file() parameter.
CVE-2019-1010062
- EPSS 1.81%
- Veröffentlicht 16.07.2019 13:15:11
- Zuletzt bearbeitet 21.11.2024 04:17:57
PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php ...