Pluck CMS 4.7.2 allows remote attackers to obtain sensitive information by (1) changing βPHPSESSIDβ to an array; (2) adding non-alphanumeric chars to βPHPSESSIDβ; (3) changing the image parameter to an array; or (4) changing the image parameter to a string, which reveals the installation path in an error message.