Pluck-cms Pluck
43 CVEs affecting Pluck-cms Pluck. Latest disclosed: 2025-07-23. Critical: 7, High: 17.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-43042 | Critical | 9.8 | 2024-08-16 | Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack. |
CVE-2021-31746 | Critical | 9.8 | 2021-12-10 | Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arb… |
CVE-2020-20951 | Critical | 9.8 | 2021-05-18 | In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files. |
CVE-2019-11344 | Critical | 9.8 | 2019-04-19 | data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies SetHandler x-httpd-php for a… |
CVE-2018-11736 | Critical | 9.8 | 2018-06-05 | An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jp… |
CVE-2018-11331 | Critical | 9.8 | 2018-05-21 | An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applic… |
CVE-2014-8708 | Critical | 9.8 | 2017-03-17 | Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via the blog form feature. |
CVE-2023-50564 | High | 8.8 | 2023-12-14 | An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading… |
CVE-2022-27432 | High | 8.8 | 2022-03-30 | A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to accoun… |
CVE-2020-18198 | High | 8.8 | 2021-05-17 | Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.p… |
CVE-2020-18195 | High | 8.8 | 2021-05-17 | Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admi… |
CVE-2020-21564 | High | 8.8 | 2020-09-30 | An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. There is a file upload vulnerability that can cause a remote command execution via admin.php?actio… |
CVE-2018-16634 | High | 8.8 | 2018-12-04 | Pluck v4.7.7 allows CSRF via admin.php?action=settings. |
CVE-2021-27984 | High | 8.1 | 2021-12-10 | In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files. |
CVE-2021-31745 | High | 7.5 | 2021-12-10 | Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not… |
CVE-2025-46099 | High | 7.2 | 2025-07-23 | In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routi… |
CVE-2023-27083 | High | 7.2 | 2023-06-22 | An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality. |
CVE-2020-20969 | High | 7.2 | 2023-06-20 | File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file. |
CVE-2020-20919 | High | 7.2 | 2023-06-20 | File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information via the theme.php file. |
CVE-2020-20918 | High | 7.2 | 2023-06-20 | An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to admin.php when editing a page. |