Product:

Pluck

(Pluck\-Cms)
Repositories https://github.com/pluck-cms/pluck
#Vulnerabilities 42
Date Id Summary Products Score Patch Annotated
2019-02-23 CVE-2019-9052 An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=deleteimage&var1= URI. Pluck 6.5
2019-02-23 CVE-2019-9051 An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles via a /admin.php?action=deletepage&var1= URI. Pluck 6.5
2019-02-23 CVE-2019-9050 An issue was discovered in Pluck 4.7.9-dev1. It allows administrators to execute arbitrary code by using action=installmodule to upload a ZIP archive, which is then extracted and executed. Pluck 7.2
2019-02-23 CVE-2019-9049 An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete modules via a /admin.php?action=module_delete&var1= URI. Pluck 6.5
2019-02-23 CVE-2019-9048 An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme (aka topic) via a /admin.php?action=theme_delete&var1= URI. Pluck 6.5
2019-04-19 CVE-2019-11344 data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies SetHandler x-httpd-php for a .txt file, because only certain PHP-related filename extensions are blocked. Pluck 9.8
2018-02-18 CVE-2018-7197 An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to inject arbitrary web script or HTML into admin/blog Reaction Comments via a crafted URL. Pluck 6.1
2018-09-12 CVE-2018-16729 Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under admin.php?action=files. Pluck 5.4
2018-12-04 CVE-2018-16634 Pluck v4.7.7 allows CSRF via admin.php?action=settings. Pluck 8.8
2018-12-04 CVE-2018-16633 Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title. Pluck 5.4