CVE-2020-20969: 
Pluck CMS vulnerability analysis and mitigation

File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file. The vulnerability was discovered and disclosed on October 23, 2019, affecting the admin background functionality of PluckCMS version 4.7.10 (GitHub Issue).

The vulnerability exists in the file /pluck/data/inc/trashcanrestoreitem.php at line 54. When restoring a file from the trashcan that has the same name as an existing file in the uploaded files directory, the system performs a filename manipulation that can be exploited. For example, if a file named 'shell.php.txt' is processed, the system splits it into $filename='shell' and $extension='php', then concatenates them with 'copy' to create 'shell_copy.php', potentially allowing for arbitrary code execution (GitHub Issue).

The vulnerability allows an attacker to execute arbitrary code on the affected system by exploiting the file restoration mechanism. This could potentially lead to complete system compromise, as the restored file can be executed as a web shell (GitHub Issue).

The issue has been labeled as resolved in the GitHub repository. Users should upgrade to a patched version of PluckCMS if available. In the absence of a patch, administrators should carefully monitor file uploads and implement additional validation for file extensions and types (GitHub Issue).