Authentication Remote Code Execution in pluck-cms/pluck


Reported on

Mar 13th 2023


Found authenticated Remote Code Execution (RCE) on pluck 4.7.15

While reading the source code found blacklisted extension are mentioned in the file (data/inc/files.php) at line 44 and 45. File upload function validating the file extension is match any one of the following extension (.php, php3, php4, php5, php6, php7, phtml, .phtm, .pht, .ph3, .ph4, .ph5, .asp, .cgi, .phar). If the extension matched then renaming the file with .txt extension at end.

And there is .htaccess file in files directory (upload file directory) where php_flag engine is disabled. So we can’t ale to execute the file in this directory

For successful exploitation we required to upload web shell without the forementioned extension and the file should not be in files directory. So I created a simple webshell with “.inc” extension and upload the file.

Login to the admin account. Use the following URL ( or navigate to pages -> manage files.

Upload the webshell with “.inc” extension.

We already know there is no restriction for file upload if the file extension is forementioned extension then it will renamed the file. So anyway our webshell will uploaded.

File uploaded try to execute the file. As guessed our file is not executed.

Now we need to move the file to some other directory. While analysing I found that trash directory doesn’t have any validation.

So deleting the file will move webshell to trash directory. So we can able to execute from trash directory.

Once the file is deleted then navigate to the following directory (<fileName>) to execute our web shell.

Our web shell executing successfully.

Proof of Concept

if (isset($_GET['d'])) {


Complete server takeover using the uploaded webshell.

We are processing your report and will contact the pluck-cms/pluck team within 24 hours. 2 months ago
2 months ago


Note: This vulnerability is already informed to the concern development team and they fixed this issue on 4.7.16. Requesting for CVE for this finding.

2 months ago


For confirmation please check the release notes of PluckCMS 4.7.16

We have contacted a member of the pluck-cms/pluck team and are waiting to hear back 2 months ago
pluck-cms/pluck maintainer modified the Severity from High (7.2) to Medium (6.5) 2 months ago
pluck-cms/pluck maintainer modified the Severity from Medium (6.5) to Medium (4.8) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
pluck-cms/pluck maintainer validated this vulnerability 2 months ago
Syed has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pluck-cms/pluck maintainer marked this as fixed in 4.7.17 with commit 8abdd8 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 20th 2023
pluck-cms/pluck maintainer published this vulnerability 2 months ago
pluck-cms/pluck maintainer gave praise 2 months ago
As discussed via email. Thanks
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
2 months ago


Hi, Is this vulnerability is not capable for CVE's?

to join this conversation