Pluck-cms Pluck

43 CVEs affecting Pluck-cms Pluck. Latest disclosed: 2025-07-23. Critical: 7, High: 17.

Top CVEs affecting Pluck-cms Pluck
CVESeverityScorePublishedSummary
CVE-2024-43042Critical9.82024-08-16Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack.
CVE-2021-31746Critical9.82021-12-10Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arb…
CVE-2020-20951Critical9.82021-05-18In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files.
CVE-2019-11344Critical9.82019-04-19data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies SetHandler x-httpd-php for a…
CVE-2018-11736Critical9.82018-06-05An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jp…
CVE-2018-11331Critical9.82018-05-21An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applic…
CVE-2014-8708Critical9.82017-03-17Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via the blog form feature.
CVE-2023-50564High8.82023-12-14An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading…
CVE-2022-27432High8.82022-03-30A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to accoun…
CVE-2020-18198High8.82021-05-17Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.p…
CVE-2020-18195High8.82021-05-17Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admi…
CVE-2020-21564High8.82020-09-30An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. There is a file upload vulnerability that can cause a remote command execution via admin.php?actio…
CVE-2018-16634High8.82018-12-04Pluck v4.7.7 allows CSRF via admin.php?action=settings.
CVE-2021-27984High8.12021-12-10In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files.
CVE-2021-31745High7.52021-12-10Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not…
CVE-2025-46099High7.22025-07-23In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routi…
CVE-2023-27083High7.22023-06-22An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality.
CVE-2020-20969High7.22023-06-20File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file.
CVE-2020-20919High7.22023-06-20File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information via the theme.php file.
CVE-2020-20918High7.22023-06-20An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to admin.php when editing a page.