CVE-2020-18195: 
Pluck CMS vulnerability analysis and mitigation

Cross Site Request Forgery (CSRF) vulnerability was discovered in Pluck CMS v4.7.9 that allows remote attackers to execute arbitrary code and delete specific articles via the component '/admin.php?action=page.' The vulnerability was disclosed on May 17, 2021 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The issue affects Pluck CMS version 4.7.9 and allows attackers to perform unauthorized actions through crafted requests (NVD, GitHub Issue).

The vulnerability allows attackers to perform multiple unauthorized actions when an authenticated administrator visits a malicious page, including: deleting pictures, removing topics, deleting modules, and deleting articles from the CMS (GitHub Issue).

Security researchers recommend implementing proper CSRF protections by: 1) Detecting user submissions through referer checking, implementing tokens, or verification codes, and 2) Using POST operations instead of GET requests for modification and deletion operations (GitHub Issue).