Dk0N9O

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.7.8 **Description** The issue allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies SetHandler x-httpd-php for a .txt file. This is possible because only certain PHP-related filename extensions are blocked, leaving other extensions vulnerable to exploitation. **Recommendations** For Pluck version 4.7.8, consider restricting the upload of .htaccess files or implementing additional checks to prevent the execution of arbitrary code through uploaded files. As a temporary workaround, restrict access to the `data/inc/files.php` file to minimize the risk of exploitation.