CVE-2023-25828

Name of the Vulnerable Software and Affected Versions Pluck CMS (affected versions not specified)

Description The issue concerns an authenticated remote code execution (RCE) vulnerability through the "albums" module. This module allows the creation of image collections that can be inserted into web pages. Due to a lack of file extension validation, an attacker can upload a crafted JPEG payload containing an embedded PHP web-shell, which can be accessed directly to achieve RCE on the underlying web server. Administrator credentials are required to exploit this vulnerability.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.