CVE-2020-20718: 
Pluck CMS vulnerability analysis and mitigation

File Upload vulnerability in PluckCMS v.4.7.10 dev versions allows a remote attacker to execute arbitrary code via a crafted image file to the save_file() parameter. The vulnerability was discovered and disclosed on October 12, 2019, affecting the development version of PluckCMS 4.7.10 (GitHub Issue).

The vulnerability exists in the language.php file within the admin.php component, specifically in the save_file() function. An attacker can exploit this by uploading a malicious image file that gets written to \data\settings\langpref.php. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD Database).

A successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected system, potentially leading to complete system compromise. The critical CVSS score of 9.8 indicates the severe nature of this vulnerability, with potential for high impacts on confidentiality, integrity, and availability (NVD Database).

Users should upgrade from the affected development version (4.7.10-dev) to a patched version of PluckCMS. If immediate upgrade is not possible, administrators should restrict access to the admin interface and implement strict file upload validation (GitHub Issue).