Arbitrary File Upload Vulnerability in Asset-Manager Plugin for WordPress
CVE-2012-10026
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 5 August 2025
Badges
What is CVE-2012-10026?
The Asset-Manager plugin for WordPress, specifically versions up to 2.0, is susceptible to an arbitrary file upload issue found in upload.php. This vulnerability stems from the plugin's failure to properly validate or restrict uploaded file types, permitting unauthorized users to upload harmful PHP scripts to a commonly known temporary directory. Once a malicious script is uploaded, it can be executed via a simple HTTP GET request, potentially leading to remote code execution within the context of the web server. This could allow adversaries to manipulate the server environment, steal data, or compromise the integrity of the hosted website.
Affected Version(s)
Wordpress Plugin * <= 2.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved