Arbitrary File Upload Vulnerability in Asset-Manager Plugin for WordPress
CVE-2012-10026

10CRITICAL

Key Information:

Vendor

WordPress
Status
WordPress Plugin
Vendor
CVE Published:
5 August 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2012-10026?

The Asset-Manager plugin for WordPress, specifically versions up to 2.0, is susceptible to an arbitrary file upload issue found in upload.php. This vulnerability stems from the plugin's failure to properly validate or restrict uploaded file types, permitting unauthorized users to upload harmful PHP scripts to a commonly known temporary directory. Once a malicious script is uploaded, it can be executed via a simple HTTP GET request, potentially leading to remote code execution within the context of the web server. This could allow adversaries to manipulate the server environment, steal data, or compromise the integrity of the hosted website.

Affected Version(s)

Wordpress Plugin * <= 2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2012-10026 - Proof of Concept

CVE-2012-10026 - Proof of Concept

CVE-2012-10026 - Proof of Concept

References

https://raw.githubusercontent.com/rapid7/metasploit-frame...
exploit
https://www.exploit-db.com/exploits/18993
exploit
https://www.exploit-db.com/exploits/23652
exploit

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sammy FORGIT
.
CVE-2012-10026 : Arbitrary File Upload Vulnerability in Asset-Manager Plugin for WordPress