CVE-2021-27984: 
Pluck CMS vulnerability analysis and mitigation

A remote command execution vulnerability was discovered in Pluck CMS version 4.7.15, specifically in the admin background when uploading files. The vulnerability was identified and reported on March 3, 2021 (GitHub Issue).

The vulnerability exists in the file management section of the admin interface. The issue stems from two main components: the file deletion function in 'data/in/deletefile.php' (lines 21-22) and the upload function in 'data/in/file.php' (lines 34-52). The upload function implements a blacklist check for file extensions, where blacklisted files are renamed with a '.txt' extension. However, this protection can be bypassed using race conditions (GitHub Issue).

When successfully exploited, this vulnerability allows attackers to upload and execute arbitrary PHP files on the server, potentially leading to complete server compromise. The attacker can maintain persistent access as long as the race condition is maintained (GitHub Issue).

While no official patch information is directly available in the sources, administrators should consider implementing additional file upload restrictions, proper file type validation, and ensuring that PHP files cannot be executed from upload directories.