CVE-2020-20969: Pluck-4.7.10 admin background exists a remote command execution vulnerability · Issue #86 · pluck-cms/pluck

Pluck-4.7.10 admin background exists a remote command execution vulnerability

it happens when restore file from trashcan,and the restoring file has the same with one of the files in uploaded files dir
the coding flaw is in file /pluck/data/inc/trashcan_restoreitem.php at line 54

when $var1 is 'shell.php.txt’, here $filename will get value ‘shell’ and $extension will get value 'php’, and then concat with the string ‘_copy’ we will get the final filename with ‘shell_copy.php’

Proof
step1: login -> pages -> manage files
upload file with name shell.php.txt

upload success

step2: delete file to trashcan

step3: upload the same file again

step4: restore the file from trashcan, and the restored file is renamed as shell_copy.php

step5: visit webshell

note: operate with “manage images” can do the same as it has the same coding flaw at line 76