Pluck 4.7.7-dev2 PHP Code Execution

2025.12.14

Credit: CodeSecLab

Risk: High

Local: No

Remote: Yes

CVE: CVE-2018-11736

CWE: CWE-434

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

# Exploit Title: Pluck 4.7.7-dev2 -  PHP Code Execution 
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/pluck-cms/pluck
# Software Link: https://github.com/pluck-cms/pluck
# Version: 4.74-dev5
# Tested on: Ubuntu Windows
# CVE : CVE-2018-11736

PoC:
1）
1. Log in to the Pluck admin panel.\n
2. Navigate to the 'Manage Images' section at http://pluck1/admin.php?action=images.\n
3. Upload a file named '.htaccess' with the content-type 'image/jpeg' containing 'AddType application/x-httpd-php .jpg'.\n
4. Access the target directory (e.g., http://pluck1/images/test.jpg) to execute PHP code with the .jpg extension.

2)
.htaccess content: 
RewriteEngine On
RewriteRule .* http://www.baidu.com/ [R,L]

[Replace Your Domain Name]

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Pluck 4.7.7-dev2 PHP Code Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.