Product
pluck cms pluck
48 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-46099
CVE-2024-43042
CVE-2023-50564
CVE-2023-5013
CVE-2023-27082
CVE-2023-27083
CVE-2020-20969
CVE-2020-20919
CVE-2020-20918
CVE-2023-25828
CVE-2022-26589
CVE-2022-27432
CVE-2022-26965
CVE-2021-31747
CVE-2021-27984
CVE-2021-31746
CVE-2021-31745
CVE-2020-24740
CVE-2020-20951
CVE-2020-18198
CVE-2020-18195
CVE-2020-29607
CVE-2020-21564
CVE-2019-11344
CVE-2019-9052
CVE-2019-9051
CVE-2019-9050
CVE-2019-9049
CVE-2019-9048
CVE-2018-16634
CVE-2018-16633
CVE-2018-16729
CVE-2018-11736
CVE-2018-11331
CVE-2018-11330
CVE-2018-7197
CVE-2014-8708
CVE-2014-8707
CVE-2014-8706
CVE-2012-1227
CVE-2008-6842
CVE-2009-1765
CVE-2008-6253
CVE-2008-3851
CVE-2008-3574
CVE-2008-3194
CVE-2007-4181
CVE-2007-4180
all versions
In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and a
all versions
Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack.
all versions
An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute
all versions
A vulnerability has been found in Pluck CMS 4.7.18 and classified as problematic. This vulnerability affects unknown code of the f
>= 4.7.15 and < 4.7.16
Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbi
>= 4.7.15 and < 4.7.16
An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage
all versions
File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php
all versions
File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive infor
all versions
An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to
< 4.7.16
Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are
all versions
A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages.
all versions
A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting t
all versions
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code exe
all versions
Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attack
all versions
In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files.
all versions
Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory
all versions
Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the pla
all versions
An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage
all versions
In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files.
all versions
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images
all versions
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific arti
< 4.7.13
A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the ho
all versions
An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. There is a file upload vulnerability that can cause a remote command
all versions
data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies S
all versions
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=delete
all versions
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles via a /admin.php?action=delete
all versions
An issue was discovered in Pluck 4.7.9-dev1. It allows administrators to execute arbitrary code by using action=installmodule to u
all versions
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete modules via a /admin.php?action=module_
all versions
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme (aka topic) via a /admin.php?ac
all versions
Pluck v4.7.7 allows CSRF via admin.php?action=settings.
all versions
Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title.
all versions
Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages-manage under admin.
<= 4.7.7
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary P
< 4.7.6
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for u
< 4.7.6
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not pr
<= 4.7.4
An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated us
all versions
Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via the blog form feature.
all versions
Cross-site scripting (XSS) vulnerability in TinyMCE in Pluck CMS 4.7.2 allows remote authenticated users to inject arbitrary web s
all versions
Pluck CMS 4.7.2 allows remote attackers to obtain sensitive information by (1) changing "PHPSESSID" to an array; (2) adding non-al
all versions
Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in pluck 4.7 allow remote attackers to hijack the authenti
all versions
Directory traversal vulnerability in data/modules/blog/module_pages_site.php in Pluck 4.6.1 allows remote attackers to include and
all versions
Multiple directory traversal vulnerabilities in pluck 4.6.2, when register_globals is enabled, allow remote attackers to include a
all versions
Directory traversal vulnerability in data/inc/lib/pcltar.lib.php in Pluck 4.5.3, when register_globals is enabled, allows remote a
all versions
Multiple directory traversal vulnerabilities in Pluck CMS 4.5.2 on Windows allow remote attackers to include and execute arbitrary
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Pluck 4.5.2, when register_globals is enabled, allow remote attackers to in
all versions
Multiple directory traversal vulnerabilities in data/inc/themes/predefined_variables.php in pluck 4.5.1 allow remote attackers to
all versions
PHP remote file inclusion vulnerability in data/inc/theme.php in Pluck 4.3, when register_globals is enabled, allows remote attack
all versions
Directory traversal vulnerability in data/inc/theme.php in Pluck 4.3, when register_globals is enabled, allows remote attackers to