CVE-2018-11736

CRITICAL

Pluck < 4.7.7-dev2 - Unauthenticated Arbitrary PHP File Upload via .htaccess MIME Type Bypass

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-11736. PoCs published by CodeSecLab, purgemebaby.

AI-analyzed exploit summary This exploit leverages an arbitrary file upload vulnerability in Pluck CMS to upload a malicious .htaccess file, allowing PHP code execution via files with a .jpg extension. The PoC provides clear steps to exploit the vulnerability by bypassing file type restrictions.

Description

An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file.

Exploits (2)

exploitdb WORKING POC

by CodeSecLab · textwebappsphp

https://www.exploit-db.com/exploits/52460

View Code ZIP pw:eip

This exploit leverages an arbitrary file upload vulnerability in Pluck CMS to upload a malicious .htaccess file, allowing PHP code execution via files with a .jpg extension. The PoC provides clear steps to exploit the vulnerability by bypassing file type restrictions.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Pluck CMS 4.7.7-dev2 to 4.74-dev5

Auth required

Prerequisites: Access to admin panel · File upload permissions

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1204 - User Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by purgemebaby · poc

https://github.com/purgemebaby/CVE-2018-11736

View Code ZIP pw:eip

This is a functional Rust-based exploit for CVE-2018-11736, targeting Pluck CMS. It uploads a malicious .htaccess file and a fake image to achieve RCE by coercing the server to interpret .jpg files as PHP scripts.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pluck CMS versions prior to 4.7.7-dev2

Auth required

Prerequisites: Valid session cookie · Access to upload functionality · Malicious .htaccess and fake image files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/pluck-cms/pluck/issues/61

Release Notes, Third Party Advisory x_refsource_confirm

https://github.com/pluck-cms/pluck/releases/tag/4.7.7-dev2

Scores

CVSS v3 9.8

EPSS 0.0804

EPSS Percentile 92.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

pluck-cms/pluck 4.7.7 dev1

pluck-cms/pluck < 4.7.7

Published Jun 05, 2018

Tracked Since Feb 18, 2026