Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.5
CVSSv2

CVE-2022-26965

Published: 18/03/2022 Updated: 25/03/2022
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2
VMScore: 580
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Subscribe to Pluck-cms

Vulnerability Summary

In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

pluck-cms pluck 4.7.16

Exploits

Exploit DB: Pluck CMS 4.7.16 Shell Upload
Pluck CMS version 4716 suffers from a remote shell upload execution vulnerability ...

Github Repositories

https://github.com/j-4ck/PluckCMS

A theme upload functinality in Pluck CMS before 4.7.16 allows an admin privileged user to gain access in the host through the "themes files", which may result in remote code execution. This rendition of the original exploit includes patches for problems I had when executing the script and automatic theme shell injection

Author: Jack Potter Original discovery: Ashish Koli (Shikari) Version: 4716 CVE: CVE-2022-26965 Example: python fullPluckStagerpy -t 127001 --password pass1 --theme /theme/bestfriendstargz --shell /shell/shellphp -u /pluck-4716-dev5

https://github.com/SkDevilS/Pluck-Exploitation-by-skdevils

# Exploit Title: Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated) # Date: 13.03.2022 # Exploit Author: Ashish Koli (Shikari) # Vendor Homepage: https://github.com/pluck-cms/pluck # Version: 4.7.16 # Tested on Ubuntu 20.04.3 LTS # CVE: CVE-2022-26965

Pluck-Exploitation-by-skdevils Exploit Title: Pluck CMS 4716 - Remote Code Execution (RCE) (Authenticated) # Date: 13032022 # Exploit Author: Ashish Koli (Shikari) # Vendor Homepage: githubcom/pluck-cms/pluck # Version: 4716 # Tested on Ubuntu 20043 LTS # CVE: CVE-2022-26965

https://github.com/shikari00007/Pluck-CMS-Pluck-4.7.16-Theme-Upload-Remote-Code-Execution-Authenticated--POC

Pluck-CMS-Pluck-4716-Theme-Upload-Remote-Code-Execution-Authenticated-POC Exploit Author: Ashish Koli (Shikari) Vendor Homepage: githubcom/pluck-cms/pluck Version: 4716 CVE: CVE-2022-26965 About this: This script uploads shelltar to the PluckCMS An application will untar the package which allows us to access Webshell Usage : python3 exploitpy Example: pyt

References

CWE-434https://youtu.be/sN6J_X4mEbYhttps://packetstormsecurity.com/files/166336/Pluck-CMS-4.7.16-Shell-Upload.htmlhttps://nvd.nist.govhttps://packetstormsecurity.com/files/166336/Pluck-CMS-4.7.16-Shell-Upload.htmlhttps://github.com/j-4ck/PluckCMS
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
authentication bypassCVE-2024-30051remoteCVE-2024-27954CVE-2023-51483CVE-2023-47782SSRFCVE-2024-24715CVE-2023-52424
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook