CVE-2022-26965
📋 TL;DR
This vulnerability allows authenticated admin users in Pluck CMS 4.7.16 to upload malicious theme files through the theme installation functionality, leading to remote code execution. Attackers with admin credentials can execute arbitrary code on the server. Only Pluck CMS installations with version 4.7.16 are affected.
💻 Affected Systems
- Pluck CMS
📦 What is this software?
Pluck by Pluck Cms
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, pivot to other systems, and maintain persistent access.
Likely Case
Attackers with stolen or compromised admin credentials upload web shells to gain control over the CMS and underlying server, potentially defacing websites or stealing sensitive data.
If Mitigated
With proper access controls and monitoring, exploitation would be limited to authorized admin users only, reducing risk to intentional insider threats.
🎯 Exploit Status
Exploit requires admin credentials; public proof-of-concept demonstrates shell upload via theme installation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.17 or later
Vendor Advisory: https://github.com/pluck-cms/pluck/releases
Restart Required: No
Instructions:
1. Backup your Pluck CMS installation and database. 2. Download the latest version from the official repository. 3. Replace all files except config.php and data directory. 4. Verify functionality after update.
🔧 Temporary Workarounds
Disable Theme Upload
allRemove or restrict access to the theme upload functionality at /admin.php?action=themeinstall
# Modify .htaccess to block access to themeinstall
RewriteRule ^admin\.php\?action=themeinstall$ - [F,L]
Restrict Admin Access
allImplement IP whitelisting for admin panel access and enforce strong authentication.
# Example .htaccess IP restriction
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
🧯 If You Can't Patch
- Implement strict access controls for admin accounts with multi-factor authentication.
- Deploy web application firewall (WAF) rules to block theme upload attempts and monitor for suspicious admin activity.
🔍 How to Verify
Check if Vulnerable:
Check Pluck CMS version in admin panel or by examining version files; version 4.7.16 is vulnerable.Check Version:
Check admin panel or look for version information in includes/version.phpVerify Fix Applied:
Verify version is 4.7.17 or later and test theme upload functionality with safe files.📡 Detection & Monitoring
Log Indicators:
- Unusual theme upload activity in admin logs
- Multiple failed login attempts followed by themeinstall access
- File uploads to themes directory with suspicious extensions
Network Indicators:
- POST requests to /admin.php?action=themeinstall with file uploads
- Unexpected outbound connections from web server
SIEM Query:
source="web_logs" AND (uri="/admin.php" AND query="action=themeinstall") AND status=200