In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting in arbitrary command execution through a GET parameter.
History

Wed, 23 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 23 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Description In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting in arbitrary command execution through a GET parameter.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-07-23T00:00:00.000Z

Updated: 2025-07-23T13:54:38.642Z

Reserved: 2025-04-22T00:00:00.000Z

Link: CVE-2025-46099

cve-icon Vulnrichment

Updated: 2025-07-23T13:54:08.421Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-07-23T14:15:33.490

Modified: 2025-07-25T15:29:44.523

Link: CVE-2025-46099

cve-icon Redhat

No data.