A theme upload functinality in Pluck CMS before 4.7.16 allows an admin privileged user to gain access in the host through the "themes files", which may result in remote code execution. This rendition of the original exploit includes patches for problems I had when executing the script and automatic theme shell injection
Author: Jack Potter
Original discovery: Ashish Koli (Shikari)
Version: 4716
CVE: CVE-2022-26965
Example: python fullPluckStagerpy -t 127001 --password pass1 --theme /theme/bestfriendstargz --shell /shell/shellphp -u /pluck-4716-dev5