Unauthenticated File Upload Vulnerability in WP-Property Plugin for WordPress
CVE-2012-10027

9.3CRITICAL

Key Information:

Vendor

WordPress
Status
WordPress Plugin
Vendor
CVE Published:
5 August 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2012-10027?

The WP-Property plugin for WordPress, prior to version 1.35.0, is vulnerable to an unauthenticated file upload issue due to a flaw in the uploadify.php script. This vulnerability allows an attacker to upload arbitrary PHP files to a temporary directory without requiring authentication, potentially leading to remote code execution. Malicious actors could exploit this weakness to execute harmful scripts on affected WordPress sites, compromising security and integrity.

Affected Version(s)

WordPress Plugin * <= 1.35.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2012-10027 - Proof of Concept

CVE-2012-10027 - Proof of Concept

CVE-2012-10027 - Proof of Concept

References

https://wordpress.org/plugins/wp-property/
product
https://raw.githubusercontent.com/rapid7/metasploit-frame...
exploit
https://www.exploit-db.com/exploits/18987
exploit

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sammy FORGIT
.
CVE-2012-10027 : Unauthenticated File Upload Vulnerability in WP-Property Plugin for WordPress