CVE-2012-10019
published 2025-07-19CVE-2012-10019: The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.28%
80.9th percentile
The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| scribu | front-end_editor | < 2.3 | 2.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to the Front End Editor plugin's upload.php endpoint, which accepts arbitrary file types due to missing validation. ↗
- →Alert on files of unexpected/executable types (e.g., .php, .phtml) appearing in the WordPress upload folder, as the plugin bypasses the WordPress API file-type restrictions. ↗
- ·The vulnerability exists in versions before 2.3 of the Front End Editor plugin; ensure plugin version is confirmed before applying detections, as patched versions use proper WordPress API file-type validation. ↗
- ·The Metasploit module describes this as an authenticated vulnerability, while NVD describes it as exploitable by unauthenticated attackers — detection logic should cover both authenticated and unauthenticated upload attempts. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://packetstormsecurity.com/files/132303/https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=600233%40front-end-editor&old=569105%40front-end-editor&sfp_email=&sfph_mail=https://web.archive.org/web/20120712205339/https%3A//www.opensyscom.fr/Actualites/wordpress-plugins-front-end-editor-arbitrary-file-upload-vulnerability.htmlhttps://www.cybersecurity-help.cz/vdb/SB2012070701https://www.wordfence.com/threat-intel/vulnerabilities/id/f271c2e7-9d58-4dea-95d3-3ffc4ec7c3b2?source=cve
2025-07-19
Published