CVE-2008-3851

Name of the Vulnerable Software and Affected Versions Pluck CMS version 4.5.2

Description The issue involves multiple directory traversal vulnerabilities that allow remote attackers to include and execute arbitrary local files. This is achieved by using a .. (dot dot backslash) in the blogpost, cat, and file parameters to "data/inc/themes/predefined variables.php", as well as the blogpost and cat parameters to "data/inc/blog include react.php", both of which are reachable through "index.php".

Recommendations For Pluck CMS version 4.5.2, consider restricting access to the vulnerable parameters blogpost, cat, and file in the affected API endpoints until a patch is available. As a temporary workaround, avoid using these parameters in "data/inc/themes/predefined variables.php" and "data/inc/blog include react.php" to minimize the risk of exploitation.