Pluck CMS 4.7.2 allows remote malicious users to execute arbitrary code via the blog form feature.
pluck-cms pluck 4.7.2