CVE-2020-29607: 
Pluck CMS vulnerability analysis and mitigation

A file upload restriction bypass vulnerability was discovered in Pluck CMS versions before 4.7.13. The vulnerability allows an authenticated administrator to upload malicious files through the "manage files" functionality, which could lead to remote code execution on the host system (NVD).

The vulnerability exists due to improper file extension validation in the files.php script. The application uses a blacklist approach to restrict PHP file uploads, but this can be bypassed by using alternate extensions like .phar. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability allows an authenticated administrator to upload and execute arbitrary PHP code on the server, potentially leading to complete system compromise. The attacker could gain unauthorized access to sensitive data, modify system files, or use the server for malicious purposes (Github Issue).

The recommended mitigation is to upgrade to Pluck CMS version 4.7.13 or later. Additional security measures include implementing a whitelist approach for file extensions instead of blacklisting, renaming uploaded files to random names while removing original extensions, and using proper .htaccess configurations to prevent PHP file execution in upload directories (Github Issue).