Vulnerability DatabaseCVE-2020-20918

CVE-2020-20918:
Pluck CMS vulnerability analysis and mitigation

Overview

CVE-2020-20918 is a security vulnerability discovered in Pluck CMS version 4.7.10-dev2. The vulnerability allows remote attackers to execute arbitrary PHP code via the hidden parameter to admin.php when editing a page. The issue was disclosed through a GitHub issue report (GitHub Issue).

Technical details

The vulnerability exists in the data/inc/functions.admin.php file (lines 531-535). The application saves the hidden parameter passed by the POST request to PHP but fails to properly escape special characters (like single quotes) in the value. This allows attackers to break out of the PHP syntax and execute arbitrary commands like phpinfo() or eval() functions (GitHub Issue).

Impact

If successfully exploited, this vulnerability allows authenticated attackers to execute arbitrary PHP code on the server. This could lead to complete system compromise, including the ability to read sensitive files, modify website content, or use the server for further attacks (GitHub Issue).

Mitigation and workarounds

Users should upgrade to a version newer than Pluck CMS 4.7.10-dev2 that contains the security fix. If upgrading is not immediately possible, administrators should implement strict input validation for the hidden parameter and ensure proper escaping of special characters in user inputs (GitHub Issue).

Additional resources

GitHub Issue

Source: This report was generated using AI

Related Pluck CMS vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2024-43042	CRITICAL	9.8	Pluck CMS	cpe:2.3:a:pluck-cms:pluck	No	Yes	Aug 16, 2024
CVE-2023-50564	HIGH	8.8	Pluck CMS	cpe:2.3:a:pluck-cms:pluck	No	Yes	Dec 14, 2023
CVE-2025-46099	HIGH	7.2	Pluck CMS	cpe:2.3:a:pluck-cms:pluck	No	Yes	Jul 23, 2025
CVE-2023-5013	MEDIUM	5.4	Pluck CMS	cpe:2.3:a:pluck-cms:pluck	No	Yes	Sep 16, 2023
CVE-2024-9405	MEDIUM	5.3	Pluck CMS	cpe:2.3:a:pluck-cms:pluckcms	No	Yes	Oct 01, 2024

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2020-20918: Pluck CMS vulnerability analysis and mitigation