CVE-2020-20919: 
Pluck CMS vulnerability analysis and mitigation

A file upload vulnerability was discovered in Pluck CMS version 4.7.10-dev2 that allows remote attackers to execute arbitrary code and access sensitive information via the theme.php file (GitHub Issue). The vulnerability affects the theme installation functionality in the admin interface.

The vulnerability exists in the theme installation feature accessible through the admin interface at 'options->choose theme->install theme'. An attacker with admin access can upload a malicious theme package containing PHP code in the theme.php file, which gets executed when the theme is activated. The vulnerability has a CVSS v3.1 base score of 7.2 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) (NVD).

A successful exploitation allows attackers to execute arbitrary PHP code on the server, potentially leading to complete system compromise. The attacker can access sensitive information, modify system files, and potentially gain persistent access to the server (GitHub Issue).

The vulnerability affects Pluck CMS versions up to 4.7.10-dev2. While version 4.7.10-dev4 has upload functionality issues that prevent direct exploitation, the underlying vulnerability theoretically exists in that version as well (GitHub Issue).