CVE-2008-3851

Pluck CMS 4.5.2 - Unauthenticated Path Traversal via Blogpost, Cat, and File Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-3851. PoCs published by DSecRG.

AI-analyzed exploit summary The advisory details multiple Local File Include (LFI) vulnerabilities in Pluck CMS 4.5.2, exploitable via GET parameters like 'file', 'blogpost', and 'cat'. The vulnerabilities allow path traversal using backslashes on systems that accept them as path separators.

Description

Multiple directory traversal vulnerabilities in Pluck CMS 4.5.2 on Windows allow remote attackers to include and execute arbitrary local files via a ..\ (dot dot backslash) in the (1) blogpost, (2) cat, and (3) file parameters to data/inc/themes/predefined_variables.php, as reachable through index.php; and the (4) blogpost and (5) cat parameters to data/inc/blog_include_react.php, as reachable through index.php. NOTE: the issue involving vectors 1 through 3 reportedly exists because of an incomplete fix for CVE-2008-3194.

Exploits (1)

exploitdb WRITEUP VERIFIED

by DSecRG · textwebappsphp

https://www.exploit-db.com/exploits/6300

View Code ZIP pw:eip

The advisory details multiple Local File Include (LFI) vulnerabilities in Pluck CMS 4.5.2, exploitable via GET parameters like 'file', 'blogpost', and 'cat'. The vulnerabilities allow path traversal using backslashes on systems that accept them as path separators.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Pluck CMS 4.5.2

No auth needed

Prerequisites: Target system must accept backslash as a path separator

devstral-2 · analyzed Feb 16, 2026 Full analysis →