Description
Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function
Published: 2026-05-04
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the editpage.php module of Pluck CMS versions prior to 4.7.21dev. The flaw resides in the sanitizePageContent function, which fails to neutralize injected script content. An attacker who can inject malicious payloads into page content can execute arbitrary JavaScript in the context of the CMS, allowing unauthorized control and privilege escalation.

Affected Systems

All installations of Pluck CMS older than version 4.7.21dev are affected. No official vendor/product list is available, but the vulnerability exists in the editpage.php page and the sanitizePageContent function across those releases.

Risk and Exploitability

The CVSS score is 5.7, indicating moderate risk. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit this flaw remotely by posting malicious content through the web interface; no special credentials are required beyond access to the page editor. Exploitation would result in privileged code execution within the CMS.

Generated by OpenCVE AI on May 4, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pluck CMS to version 4.7.21dev or later to apply the vendor‑issued fix for the sanitizePageContent vulnerability.
  • Verify that editpage.php is only accessible to authenticated users with appropriate authority before allowing page editing.
  • If an upgrade is not immediately possible, remove or restrict access to editpage.php and disable the page editing feature for unauthenticated or untrusted users.

Generated by OpenCVE AI on May 4, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Pluck-cms
Pluck-cms pluckcms
Vendors & Products Pluck-cms
Pluck-cms pluckcms

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Stored XSS in Pluck CMS Page Editor Enabling Privilege Escalation

Mon, 04 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AC:H/AV:N/A:N/C:H/I:H/PR:H/S:U/UI:R'}

Subscriptions

Pluck-cms Pluckcms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T14:24:01.940Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31205

cve-icon Vulnrichment

Updated: 2026-05-04T14:22:48.846Z

cve-icon NVD

Status : Received

Published: 2026-05-04T14:16:32.863

Modified: 2026-05-04T15:16:03.847

Link: CVE-2026-31205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:30:02Z

Weaknesses