CVE-2021-31746: 
Pluck CMS vulnerability analysis and mitigation

Zip Slip vulnerability was discovered in Pluck-CMS version 4.7.15, affecting the module and theme installers. The vulnerability allows attackers to upload specially crafted zip files that can lead to directory traversal and potentially arbitrary code execution. The vulnerability was disclosed on April 21, 2021 (GitHub Issue). The vulnerability received a CVSS base score of 7.5 HIGH, indicating significant severity (NVD).

The vulnerability exists in the module and theme installation functionality of Pluck-CMS. When processing ZIP archives, the application fails to properly validate file paths within the archive, allowing for directory traversal attacks. This vulnerability is tracked as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (NVD).

The vulnerability allows attackers to write files to arbitrary locations on the filesystem outside of the intended directory structure. This can lead to arbitrary code execution with the permissions of the webserver user. The attack could potentially compromise the entire system if successful (GitHub Issue).