CVE-2025-46099

Name of the Vulnerable Software and Affected Versions Pluck CMS version 4.7.20-dev

Description Pluck CMS contains a flaw that allows an authenticated attacker to upload or create a crafted PHP file within the albums module directory. This file can then be accessed through the module routing logic in albums.site.php, potentially leading to arbitrary command execution via a GET parameter.

Recommendations Update to a newer version of Pluck CMS that addresses this issue. As a temporary workaround, restrict file upload capabilities within the albums module. Review and restrict access to the albums.site.php file to prevent unauthorized access.