CVE-2023-50564
📋 TL;DR
This vulnerability allows attackers to upload arbitrary ZIP files containing malicious code to Pluck-CMS, leading to remote code execution. Attackers can take full control of affected systems by exploiting the insecure file upload functionality in the modules installation component. All users running vulnerable versions of Pluck-CMS are affected.
💻 Affected Systems
- Pluck-CMS
📦 What is this software?
Pluck by Pluck Cms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full administrative access, data theft, lateral movement, and persistent backdoor installation.
Likely Case
Web server compromise leading to website defacement, data exfiltration, and use as attack platform for further attacks.
If Mitigated
Attack blocked at perimeter with file upload restrictions and proper input validation in place.
🎯 Exploit Status
Exploit requires creating a malicious ZIP file with PHP shell and uploading via the vulnerable endpoint. Public proof-of-concept demonstrates complete exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Pluck-CMS repository for latest version > v4.7.18
Vendor Advisory: https://github.com/pluck-cms/pluck
Restart Required: No
Instructions:
1. Backup current installation. 2. Download latest Pluck-CMS version from official repository. 3. Replace vulnerable files with patched versions. 4. Verify functionality.
🔧 Temporary Workarounds
Restrict File Uploads
allImplement strict file upload validation and disable ZIP upload functionality
# Add to .htaccess or web server config
<Files "inc/modules_install.php">
Deny from all
</Files>
# Disable ZIP upload in PHP config
php_value upload_max_filesize 1M
php_value post_max_size 1M
Web Application Firewall Rules
allBlock requests to vulnerable endpoint and suspicious file uploads
# ModSecurity rule example
SecRule REQUEST_URI "@contains /inc/modules_install.php" "id:1001,phase:1,deny,msg:'Block Pluck-CMS exploit attempt'"
🧯 If You Can't Patch
- Implement strict file upload validation with whitelisted extensions only
- Deploy web application firewall with rules blocking access to /inc/modules_install.php
🔍 How to Verify
Check if Vulnerable:
Check if running Pluck-CMS v4.7.18 and if /inc/modules_install.php exists and accepts ZIP uploads without proper validation.Check Version:
Check Pluck-CMS admin panel or examine version.php file in installation directoryVerify Fix Applied:
Verify version is updated beyond v4.7.18 and test that ZIP uploads to modules_install.php are properly validated or blocked.📡 Detection & Monitoring
Log Indicators:
- POST requests to /inc/modules_install.php with ZIP files
- Unusual file uploads to modules directory
- PHP file execution from unexpected locations
Network Indicators:
- HTTP requests with ZIP file uploads to vulnerable endpoint
- Outbound connections from web server to unknown IPs
SIEM Query:
source="web_logs" AND (uri="/inc/modules_install.php" OR file_extension="zip") AND status=200