Pluck CMS Cross-Site Scripting Vulnerability in Page Editor

A stored cross-site scripting vulnerability has been identified in Pluck CMS versions prior to 4.7.21-dev. This issue allows remote attackers to inject malicious JavaScript into page content, which is executed when the page is viewed. The vulnerability arises from improper sanitization of user input during the initial page creation process, specifically through the editpage.php file.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user viewing the page, potentially leading to session hijacking or unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, log into the Pluck CMS admin panel and navigate to the page editor by selecting 'admin.php?action=editpage'. Create the first page and insert a malicious JavaScript payload into the content field. Once the page is saved, the injected script will execute when the page is viewed.

Remediation

Users can update to Pluck CMS version 4.7.21-dev or later to address this vulnerability.