EIP-2026-111355

PRE-CVE

Pluck CMS 4.7 - HTML Code Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-111355. PoCs published by Yashar shahinzadeh.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in Pluck CMS 4.7, allowing an attacker to inject malicious HTML content into existing pages. The script automates the creation of HTML files that, when visited by an authenticated admin, submit a form to modify page content.

Description

Pluck CMS 4.7 - HTML Code Injection

Exploits (1)

exploitdb WORKING POC VERIFIED

by Yashar shahinzadeh · textwebappsphp

https://www.exploit-db.com/exploits/27398

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in Pluck CMS 4.7, allowing an attacker to inject malicious HTML content into existing pages. The script automates the creation of HTML files that, when visited by an authenticated admin, submit a form to modify page content.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Pluck CMS 4.7

Auth required

Prerequisites: Authenticated admin session · Access to the target CMS pages

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026