Login Sign Up

CVE-2020-21564

8.8 HIGH
Remote Code Execution

📋 TL;DR

Pluck CMS 4.7.10-dev2 and 4.7.11 contain a file upload vulnerability in the admin.php?action=files endpoint that allows authenticated attackers to upload malicious files, leading to remote command execution. This affects administrators and users with file upload privileges. The vulnerability stems from insufficient file type validation.

💻 Affected Systems

Products:
  • Pluck CMS
Versions: 4.7.10-dev2, 4.7.11
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin access or file upload privileges via admin.php?action=files.

📦 What is this software?

Pluck by Pluck Cms

View all CVEs affecting Pluck →

Pluck by Pluck Cms

View all CVEs affecting Pluck →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, data theft, and complete control over the web server.

🟠

Likely Case

Unauthorized file upload leading to webshell deployment and subsequent command execution on the server.

🟢

If Mitigated

Limited impact with proper file validation and restricted upload permissions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication; public proof-of-concept demonstrates file upload to achieve RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.12

Vendor Advisory: https://github.com/pluck-cms/pluck/issues/83

Restart Required: No

Instructions:

1. Backup your Pluck CMS installation. 2. Download and install Pluck CMS version 4.7.12 or later. 3. Replace all files with the updated version. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Restrict File Upload Permissions

all

Temporarily disable or restrict file upload functionality in admin.php?action=files.

Modify admin.php to remove or secure file upload handling.

Implement File Type Validation

all

Add server-side validation to allow only specific file types (e.g., images).

Add file extension and MIME type checks in the upload script.

🧯 If You Can't Patch

  • Restrict access to admin.php?action=files via firewall rules or authentication.
  • Monitor file upload logs for suspicious activity and block malicious IPs.

🔍 How to Verify

Check if Vulnerable:

Check if Pluck CMS version is 4.7.10-dev2 or 4.7.11 by reviewing the version file or admin panel.

Check Version:

Check the version in the admin panel or look for version info in the Pluck CMS files.

Verify Fix Applied:

Verify the installation is updated to version 4.7.12 or later and test file upload functionality with malicious files.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to admin.php?action=files, especially non-image files.
  • Execution of suspicious commands via uploaded files.

Network Indicators:

  • HTTP POST requests to admin.php?action=files with file uploads.
  • Outbound connections from the server to unknown IPs post-upload.

SIEM Query:

source="web_logs" AND uri="/admin.php?action=files" AND method="POST" AND file_upload="true"

📊 Metadata

CVE ID: CVE-2020-21564
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: September 30, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-21564, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)