CVE-2019-11344

Name of the Vulnerable Software and Affected Versions Pluck version 4.7.8

Description The issue allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies SetHandler x-httpd-php for a .txt file. This is possible because only certain PHP-related filename extensions are blocked, leaving other extensions vulnerable to exploitation.

Recommendations For Pluck version 4.7.8, consider restricting the upload of .htaccess files or implementing additional checks to prevent the execution of arbitrary code through uploaded files. As a temporary workaround, restrict access to the data/inc/files.php file to minimize the risk of exploitation.