CVE-2020-29607

Exploitation Summary

EIP tracks 9 public exploits for CVE-2020-29607. PoCs published by Ron Jost, abbarhissarh, ar2o3.

AI-analyzed exploit summary This exploit demonstrates an authenticated file upload vulnerability in Pluck CMS 4.7.13, allowing an admin to bypass restrictions and upload a malicious PHAR file (webshell) for remote code execution. The PoC includes authentication, session handling, and a fully functional webshell payload.

Description

A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution.

Exploits (9)

exploitdb WORKING POC VERIFIED

by Ron Jost · pythonwebappsphp

https://www.exploit-db.com/exploits/49909

View Code ZIP pw:eip

This exploit demonstrates an authenticated file upload vulnerability in Pluck CMS 4.7.13, allowing an admin to bypass restrictions and upload a malicious PHAR file (webshell) for remote code execution. The PoC includes authentication, session handling, and a fully functional webshell payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pluck CMS 4.7.13

Auth required

Prerequisites: Admin credentials · Network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by abbarhissarh · poc

https://github.com/abbarhissarh/CVE-2020-29607

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-29607, which targets a file upload restriction bypass in Pluck CMS 4.7.13. The exploit authenticates as an admin, uploads a malicious .phar file (webshell), and achieves remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pluck CMS 4.7.13

Auth required

Prerequisites: admin credentials · network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 10, 2026 Full analysis →

nomisec WORKING POC 6 stars

by ar2o3 · poc

https://github.com/ar2o3/CVE-2020-29607

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-29607, which targets a file upload restriction bypass in Pluck CMS 4.7.13. The exploit authenticates as an admin, uploads a malicious .phar file, and achieves remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pluck CMS 4.7.13

Auth required

Prerequisites: Admin credentials for Pluck CMS · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 1 stars

by 0xN7y · poc

https://github.com/0xN7y/CVE-2020-29607

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-29607, targeting Pluck CMS. The exploit authenticates with provided credentials, uploads a malicious PHAR file via a multipart form-data request, and executes arbitrary commands through the uploaded shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pluck CMS 4.7.13

Auth required

Prerequisites: Valid credentials for Pluck CMS · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by estebanzarate · poc

https://github.com/estebanzarate/CVE-2020-29607-Pluck-CMS-4.7.13-Authenticated-File-Upload-RCE-PoC

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2020-29607, which leverages an authenticated file upload vulnerability in Pluck CMS <= 4.7.13. The exploit uploads a .phar file (treated as PHP by Apache) via the admin file manager, resulting in remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Pluck CMS <= 4.7.13

Auth required

Prerequisites: valid admin credentials · access to the admin interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 28, 2026 Full analysis →

nomisec WORKING POC

by CaelumIsMe · poc

https://github.com/CaelumIsMe/CVE-2020-29607-POC

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2020-29607, a file upload restriction bypass in Pluck CMS 4.7.13. The exploit authenticates as an admin, uploads a malicious .phar file, and achieves remote code execution via a minimal PHP webshell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pluck CMS 4.7.13

Auth required

Prerequisites: Admin credentials for Pluck CMS · Network access to the target

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505.003 - Web Shell

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by Alienfader · poc

https://github.com/Alienfader/CVE-2020-29607

View Code ZIP pw:eip

This exploit demonstrates an authenticated file upload vulnerability in Pluck CMS, allowing an attacker to upload a malicious PHP webshell. The script authenticates with the target, then uploads a shell disguised as a .phar file, bypassing restrictions to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pluck CMS (version not explicitly specified, but likely older versions)

Auth required

Prerequisites: Valid credentials for Pluck CMS · Network access to the target · File upload functionality enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 19, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/0xstarford/cve-2020-29607

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-29607, which leverages an authenticated file upload restriction bypass in Pluck CMS 4.7.13 to achieve remote code execution via a .phar file upload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pluck CMS 4.7.13

Auth required

Prerequisites: admin credentials · access to admin.php?action=files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/0xabbarhsf/cve-2020-29607

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-29607, which targets a file upload restriction bypass in Pluck CMS 4.7.13. The exploit authenticates as an admin, uploads a malicious .phar file (webshell), and achieves remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pluck CMS 4.7.13

Auth required

Prerequisites: admin credentials · network access to target

MITRE ATT&CK