CVE-2018-16729

Name of the Vulnerable Software and Affected Versions Pluck version 4.7.7

Description The issue allows for XSS (Cross-Site Scripting) attacks via an SVG file containing Javascript in a SCRIPT element. This file can be uploaded through the 'pages->manage' section under the 'admin.php?action=files' endpoint.

Recommendations For Pluck version 4.7.7, consider restricting access to the file upload functionality under 'admin.php?action=files' to minimize the risk of exploitation. As a temporary workaround, avoid using the file upload feature in the 'pages->manage' section until a patch is available.