Login Sign Up

CVE-2023-25828

7.2 HIGH
Remote Code Execution

📋 TL;DR

Pluck CMS has an authenticated remote code execution vulnerability in its albums module. Attackers with administrator credentials can upload malicious JPEG files containing embedded PHP code, leading to complete server compromise. Only Pluck CMS installations with the albums module enabled are affected.

💻 Affected Systems

Products:
  • Pluck CMS
Versions: All versions prior to 4.7.18
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires albums module to be enabled and administrator access to exploit.

📦 What is this software?

Pluck by Pluck Cms

View all CVEs affecting Pluck →

Pluck by Pluck Cms

View all CVEs affecting Pluck →

Pluck by Pluck Cms

View all CVEs affecting Pluck →

Pluck by Pluck Cms

View all CVEs affecting Pluck →

Pluck by Pluck Cms

View all CVEs affecting Pluck →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing data theft, malware deployment, lateral movement, and complete system control.

🟠

Likely Case

Web server compromise leading to website defacement, data exfiltration, and backdoor installation.

🟢

If Mitigated

Limited impact due to strong access controls, file upload restrictions, and proper segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires administrator credentials but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.18

Vendor Advisory: https://github.com/pluck-cms/pluck/releases/tag/4.7.18

Restart Required: No

Instructions:

1. Backup your Pluck CMS installation and database. 2. Download Pluck CMS 4.7.18 or later. 3. Replace all files with the new version. 4. Clear browser cache and verify functionality.

🔧 Temporary Workarounds

Disable albums module

all

Temporarily disable the vulnerable albums module to prevent exploitation.

Remove or rename the 'albums' directory in your Pluck CMS installation

Restrict file uploads

linux

Configure web server to block execution of uploaded files in albums directory.

Add 'php_flag engine off' to .htaccess in albums upload directory

🧯 If You Can't Patch

  • Implement strict access controls and multi-factor authentication for administrator accounts
  • Deploy web application firewall with file upload protection rules

🔍 How to Verify

Check if Vulnerable:

Check Pluck CMS version in admin panel or by examining version.php file.

Check Version:

cat /path/to/pluck/version.php | grep 'pluck_version'

Verify Fix Applied:

Verify version is 4.7.18 or later and test file upload functionality with malicious files.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to albums directory
  • Administrator account logins from unexpected locations
  • Execution of PHP files from upload directories

Network Indicators:

  • HTTP requests to unusual PHP files in upload directories
  • Outbound connections from web server to suspicious IPs

SIEM Query:

source="web_logs" AND (uri="/data/albums/*.php" OR uri="/data/albums/*.jpeg" AND method="POST")

📊 Metadata

CVE ID: CVE-2023-25828
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: March 27, 2023
Last Updated: February 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25828, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)