Every CVE whose affected-product data names Pluck-cms Pluck, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (43)
CVE-2019-11344 — CVSS 9.8 (critical): data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies SetHandler…
CVE-2021-31746 — CVSS 9.8 (critical): Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal…
CVE-2024-43042 — CVSS 9.8 (critical): Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack.
CVE-2018-11331 — CVSS 9.8 (critical): An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in…
CVE-2018-11736 — CVSS 9.8 (critical): An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code…
CVE-2020-20951 — CVSS 9.8 (critical): In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files.
CVE-2023-50564 — CVSS 8.8 (high): An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary…
CVE-2020-18198 — CVSS 8.8 (high): Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the…
CVE-2020-21564 — CVSS 8.8 (high): An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. There is a file upload vulnerability that can cause a remote command execution…
CVE-2020-18195 — CVSS 8.8 (high): Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via…
CVE-2022-27432 — CVSS 8.8 (high): A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this…
CVE-2021-27984 — CVSS 8.1 (high): In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files.
CVE-2021-31745 — CVSS 7.5 (high): Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform…
CVE-2022-26965 — CVSS 7.2 (high): In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.
CVE-2023-25828 — CVSS 7.2 (high): Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are used to…
CVE-2025-46099 — CVSS 7.2 (high): In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it…
CVE-2019-9050 — CVSS 7.2 (high): An issue was discovered in Pluck 4.7.9-dev1. It allows administrators to execute arbitrary code by using action=installmodule to upload a…
CVE-2020-20918 — CVSS 7.2 (high): An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to admin.php…
CVE-2020-20919 — CVSS 7.2 (high): File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information…
CVE-2020-20969 — CVSS 7.2 (high): File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file.
CVE-2020-29607 — CVSS 7.2 (high): A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host…
CVE-2023-27083 — CVSS 7.2 (high): An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file…
CVE-2008-6842 — CVSS 6.8 (medium): Directory traversal vulnerability in data/modules/blog/module_pages_site.php in Pluck 4.6.1 allows remote attackers to include and execute…
CVE-2009-1765 — CVSS 6.8 (medium): Multiple directory traversal vulnerabilities in pluck 4.6.2, when register_globals is enabled, allow remote attackers to include and…
CVE-2012-1227 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in pluck 4.7 allow remote attackers to hijack the authentication of…
CVE-2008-6253 — CVSS 6.8 (medium): Directory traversal vulnerability in data/inc/lib/pcltar.lib.php in Pluck 4.5.3, when register_globals is enabled, allows remote attackers…
CVE-2019-9049 — CVSS 6.5 (medium): An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete modules via a /admin.php?action=module_delete&var…
CVE-2019-9052 — CVSS 6.5 (medium): An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=deleteimage&var1…
CVE-2022-26589 — CVSS 6.5 (medium): A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages.
CVE-2019-9048 — CVSS 6.5 (medium): An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme (aka topic) via a /admin.php?action=theme…
CVE-2019-9051 — CVSS 6.5 (medium): An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles via a /admin.php?action=deletepage&var1=…
CVE-2018-7197 — CVSS 6.1 (medium): An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to…
CVE-2014-8707 — CVSS 5.4 (medium): Cross-site scripting (XSS) vulnerability in TinyMCE in Pluck CMS 4.7.2 allows remote authenticated users to inject arbitrary web script or…
CVE-2018-16729 — CVSS 5.4 (medium): Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under…
CVE-2014-8706 — CVSS 5.3 (medium): Pluck CMS 4.7.2 allows remote attackers to obtain sensitive information by (1) changing "PHPSESSID" to an array; (2) adding…
CVE-2023-27082 — CVSS 4.8 (medium): Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary…
CVE-2021-31747 — CVSS 4.8 (medium): Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks.
CVE-2018-11330 — CVSS 4.8 (medium): An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly…
CVE-2020-24740 — CVSS 4.3 (medium): An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage
CVE-2023-5013 — CVSS 2.6 (low): A vulnerability has been found in Pluck CMS 4.7.18 and classified as problematic. This vulnerability affects unknown code of the file…