CVE-2018-11736

Name of the Vulnerable Software and Affected Versions Pluck versions prior to 4.7.7-dev2

Description An issue was discovered that allows remote attackers to upload and execute arbitrary PHP code. This is achieved by using the image/jpeg content type for a .htaccess file in the /data/inc/images.php endpoint.

Recommendations For versions prior to 4.7.7-dev2, update to version 4.7.7-dev2 or later to resolve the issue. As a temporary workaround, consider restricting access to the /data/inc/images.php endpoint to minimize the risk of exploitation. Avoid using the image/jpeg content type for uploading files until the issue is resolved.