CVE-2025-46099

Published: Jul 23, 2025Modified: Oct 14, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting in arbitrary command execution through a GET parameter.

Affected (1)

Products: Pluck Cms: Pluck

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pluck Cms Pluck	Version 4.7.20 dev

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

http://pluck.com

Source: cve@mitre.org

Broken Link

https://github.com/0xC4J/CVE-Lists/blob/main/CVE-2025-46099/CVE-2025-46099.md

Source: cve@mitre.org

Third Party Advisory

Timeline

No history available yet.