Pligg 2.0.3 allows remote authenticated users to execute arbitrary commands because the template editor can edit any file, as demonstrated by an admin/admin_editor.php the_file=..%2Findex.php&open=Open request.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25287
Reference (s):
- https://github.com/jenaye/pligg/blob/master/README.md