CVE-2024-43042 – Pluck CMS 4.7.18 lacks rate limiting on login a... (How to Fix)

Q: What is the severity of CVE-2024-43042?

CVE-2024-43042 has a CVSS score of 9.8 (CRITICAL). Pluck CMS 4.7.18 lacks rate limiting on login attempts, allowing attackers to perform brute force attacks against admin credentials. This affects all Pluck CMS 4.7.18 installations with default configuration. Attackers can potentially gain administrative access to the CMS.

📋 TL;DR

Pluck CMS 4.7.18 lacks rate limiting on login attempts, allowing attackers to perform brute force attacks against admin credentials. This affects all Pluck CMS 4.7.18 installations with default configuration. Attackers can potentially gain administrative access to the CMS.

💻 Affected Systems

Products:

Pluck CMS

Versions: 4.7.18

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of Pluck CMS 4.7.18 are vulnerable unless custom rate limiting has been implemented.

📦 What is this software?

Pluck by Pluck Cms

View all CVEs affecting Pluck →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of CMS administration leading to website defacement, data theft, or server takeover if CMS has elevated privileges.

🟠

Likely Case

Administrative account takeover allowing content manipulation, plugin installation, or configuration changes.

🟢

If Mitigated

Failed login attempts logged but no successful compromise if strong passwords are used.

🌐 Internet-Facing: HIGH - Web CMS systems are typically internet-facing and directly accessible for login attempts.

🏢 Internal Only: MEDIUM - Internal systems could still be targeted by internal threats or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Brute force attacks require no special tools - standard HTTP requests to login endpoint with different credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.19 or later

Vendor Advisory: https://github.com/pluck-cms/pluck

Restart Required: No

Instructions:

1. Backup current installation
2. Download Pluck CMS 4.7.19+ from GitHub
3. Replace existing files with new version
4. Verify login functionality works

🔧 Temporary Workarounds

Web Application Firewall Rate Limiting

linux

Implement rate limiting at WAF or reverse proxy level

# Example nginx rate limiting:
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
location /admin {
    limit_req zone=login burst=10 nodelay;
}

IP-based Blocking via .htaccess

linux

Block IPs with excessive failed logins using Apache mod_evasive or similar

# Install mod_evasive
sudo apt-get install libapache2-mod-evasive
# Configure in Apache

🧯 If You Can't Patch

Implement network-level rate limiting using firewall or load balancer
Change admin password to strong, complex password (16+ characters with mix of types)

🔍 How to Verify

Check if Vulnerable:

Check if you can send multiple failed login requests without lockout or delay

Check Version:

Check Pluck CMS version in admin panel or read version.txt file

Verify Fix Applied:

Attempt multiple failed logins and verify account locks or rate limiting occurs

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts from same IP
Rapid succession of POST requests to /admin/login

Network Indicators:

High volume of HTTP POST requests to login endpoint
Pattern of credential guessing

SIEM Query:

source="web_logs" action="POST" uri="/admin/login" status="401" | stats count by src_ip | where count > 10

📊 Metadata

CVE ID: CVE-2024-43042

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-307

Published: August 16, 2024

Last Updated: March 19, 2025

🔗 References

https://drive.google.com/file/d/1FnLCFP8xDrE1e_4Ft_TZ7VhC-JBkpsL0/view?usp=sharing Exploit,Third Party Advisory
https://github.com/pluck-cms/pluck Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43042, you might also want to check these: