CVE-2012-10026
published 2025-08-05CVE-2012-10026: The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to…
PriorityP276critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.14%
62.7th percentile
The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded file types, allowing remote attackers to upload malicious PHP scripts to a predictable temporary directory. Once uploaded, the attacker can execute the file via a direct HTTP GET request, resulting in remote code execution under the web server’s context.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jkriddle | asset-manager | <= 2.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP POST requests to the Asset-Manager plugin's upload.php endpoint, particularly those uploading files with PHP extensions. ↗
- →Alert on PHP script files appearing in the plugin's temporary upload directory, as the upload destination is predictable and does not restrict file types. ↗
- ·The vulnerability only affects Asset-Manager plugin version 2.0 and below; ensure version scoping when deploying detections to avoid false positives on patched installations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://web.archive.org/web/20150106144832/http://www.opensyscom.fr:80/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.htmlhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rbhttps://wordpress.org/plugins/asset-manager/https://www.exploit-db.com/exploits/18993https://www.exploit-db.com/exploits/23652https://www.vulncheck.com/advisories/wordpress-plugin-asset-manager-php-file-uploadhttp://web.archive.org/web/20150106144832/http://www.opensyscom.fr:80/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.htmlhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rbhttps://www.exploit-db.com/exploits/18993https://www.exploit-db.com/exploits/23652
2025-08-05
Published