CVSS: 4.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-27082
https://notcve.org/view.php?id=CVE-2023-27082
Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file. • https://medium.com/%40syed.pentester/authenticated-stored-cross-site-scripting-xss-d39aab69e58f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2023-27083
https://notcve.org/view.php?id=CVE-2023-27083
An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality. • https://medium.com/%40syed.pentester/authenticated-remote-code-execution-rce-on-pluckcms-4-7-15-c309ac1bd145 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2023-25828 – Authenticate Remote Code Execution in Pluck CMS
https://notcve.org/view.php?id=CVE-2023-25828
Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are used to create collections of images that can be inserted into web pages across the site. Albums allow the upload of various filetypes, which undergo a normalization process before being available on the site. Due to lack of file extension validation, it is possible to upload a crafted JPEG payload containing an embedded PHP web-shell. An attacker may navigate to it directly to achieve RCE on the underlying web server. • https://www.synopsys.com/blogs/software-security/pluck-cms-vulnerability • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26589
https://notcve.org/view.php?id=CVE-2022-26589
A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en Pluck CMS versión v4.7.15, permite a atacantes eliminar páginas arbitrarias • https://medium.com/%40devansh3008/pluck-cms-v4-7-15-csrf-vulnerability-at-delete-page-9fff0309f9c https://owasp.org/www-community/attacks/csrf • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27432
https://notcve.org/view.php?id=CVE-2022-27432
A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en Pluck CMS versión v4.7.15, permite a atacantes cambiar la contraseña de un usuario determinado al explotar esta funcionalidad, conllevando a una toma de posesión de la cuenta • https://owasp.org/www-community/attacks/csrf https://www.exploit-db.com/exploits/50831 • CWE-352: Cross-Site Request Forgery (CSRF) •