CVE Tools

pluck-cms

Web & CMS Pluginsoss-project

25

Cumulative CVEs

8

Monthly snapshots

#63

Peak rank

Top products

pluck5 pluckcms1

Latest CVEs

The 15 most recently published vulnerabilities affecting pluck-cms.

CVE-2025-46099In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting...7.2Jul 23, 2025
CVE-2024-43042Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack.9.8Aug 16, 2024
CVE-2023-50564An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file.8.8Dec 14, 2023
CVE-2023-5013Pluck CMS Installation install.php cross site scripting2.6Sep 16, 2023
CVE-2023-27082Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file.4.8Jun 26, 2023
CVE-2023-27083An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality.7.2Jun 22, 2023
CVE-2020-20969File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file.7.2Jun 20, 2023
CVE-2020-20919File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information via the theme.php file.7.2Jun 20, 2023
CVE-2020-20918An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to admin.php when editing a page.7.2Jun 20, 2023
CVE-2020-20718File Upload vulnerability in PluckCMS v.4.7.10 dev versions allows a remote attacker to execute arbitrary code via a crafted image file to the the save_file() parameter.9.8Jun 20, 2023
CVE-2023-25828Authenticate Remote Code Execution in Pluck CMS7.2Mar 27, 2023
CVE-2022-26589A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages.6.5Apr 12, 2022
CVE-2022-27432A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover.8.8Mar 29, 2022
CVE-2022-26965In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.7.2Mar 18, 2022
CVE-2021-27984In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files.8.1Dec 10, 2021