This report documents a critical security vulnerability discovered in PluckCMS that allows authenticated attackers to achieve remote code execution through a Zip Slip attack vector. The vulnerability exists in the module upload functionality and can be exploited by uploading a specially crafted ZIP archive containing malicious PHP code.
- GitHub Repository: https://github.com/pluck-cms/pluck.git
4.7.20
Vulnerability Type: Zip Slip leading to Remote Code Execution (RCE)
Affected Component: Module Management System (Options → Manage Modules)
Attack Vector: Malicious ZIP file upload
Authentication Required: Yes (Admin panel access)
Severity: Critical
The vulnerability stems from inadequate validation and sanitization of ZIP archive contents during the module upload process. PluckCMS allows administrators to upload modules in ZIP format without properly validating the file paths contained within the archive. This enables an attacker to craft a malicious ZIP file that exploits path traversal vulnerabilities, allowing arbitrary file placement on the server filesystem.
When a ZIP archive is extracted, the application fails to verify that extracted files remain within the intended directory structure. An attacker can leverage this weakness to write malicious PHP files to web-accessible locations, subsequently executing arbitrary code on the server.
The vulnerability can be reproduced using the following environment:
git clone https://github.com/pluck-cms/pluck.git
cd pluck
ddev config --project-type=php --docroot=.
ddev start
Hosted URL : http://pluck.ddev.site
- Access the Admin Panel: Navigate to the PluckCMS installation and authenticate with administrative credentials
- Navigate to Module Management: Go to Options → Manage Modules
- Prepare Malicious Payload: Create a PHP file with malicious code and package it in a ZIP archive with crafted file paths
- Upload the Archive: Use the module upload functionality to submit the malicious ZIP file
- Trigger Execution: Access the uploaded PHP file through the web server to execute arbitrary commands
A proof-of-concept payload demonstrating command execution capability was used during testing. The payload leverages PHP's system execution functions to run operating system commands.
<?php
$fn = "sys" . "tem";
(string) $fn("id");
?>Successful exploitation of this vulnerability allows an authenticated attacker with administrative access to:
- Execute arbitrary system commands on the host server
- Read, modify, or delete sensitive files and databases
- Compromise the confidentiality, integrity, and availability of the system
- Pivot to other systems on the network
- Establish persistent backdoors for continued access
While the vulnerability requires administrative authentication, it represents a critical security risk as it provides a direct path to full system compromise.
- Restrict Module Upload Access: Limit module upload functionality to trusted administrators only
- Monitor Upload Activity: Review logs for suspicious ZIP file uploads
- File Integrity Checks: Verify that no malicious files have been uploaded to the system
- GitHub Repository: https://github.com/pluck-cms/pluck.git
- OWASP Zip Slip Vulnerability: https://owasp.org/www-community/vulnerabilities/Zip_Slip