Cross-Site Scripting Vulnerability in Pluck CMS Albums Module
CVE-2026-16205
Key Information:
Badges
What is CVE-2026-16205?
A potential cross-site scripting (XSS) vulnerability exists in the Albums Module of Pluck CMS versions up to 4.7.21. The issue arises from improper handling of user input in the htmlspecialchars_decode function within the file data/modules/albums/albums.admin.php. By manipulating the argument Info, an attacker can execute a remote XSS attack, potentially compromising user data. Despite an early report highlighting this issue, the project team has yet to address it.
Affected Version(s)
CMS 4.7.0
CMS 4.7.1
CMS 4.7.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
