EIP-2026-111352

PRE-CVE

Pluck CMS 4.5.3 - 'update.php' Remote File Corruption

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-111352. PoCs published by Nine:Situations:Group.

AI-analyzed exploit summary This exploit targets Pluck CMS 4.5.3 by leveraging a file corruption vulnerability in update.php and a subsequent file inclusion flaw due to improper handling of GLOBALS when register_globals is enabled. It achieves remote code execution by injecting a PHP shell into data/count.php.

Description

Pluck CMS 4.5.3 - 'update.php' Remote File Corruption

Exploits (1)

exploitdb WORKING POC VERIFIED
by Nine:Situations:Group · phpwebappsphp
https://www.exploit-db.com/exploits/6492

This exploit targets Pluck CMS 4.5.3 by leveraging a file corruption vulnerability in update.php and a subsequent file inclusion flaw due to improper handling of GLOBALS when register_globals is enabled. It achieves remote code execution by injecting a PHP shell into data/count.php.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pluck CMS 4.5.3
No auth needed
Prerequisites: register_globals = on · update.php accessible in the main folder
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026