An issue exists in Pluck prior to 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
pluck-cms pluck