cbcvebase.
CVE-2012-10027
published 2025-08-05

CVE-2012-10027: WP-Property plugin for WordPress up to and including version 1.35.0 contains an unauthenticated file upload vulnerability in the third-party `uploadify.php`…

PriorityP271critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.62%
73.1th percentile
WP-Property plugin for WordPress up to and including version 1.35.0 contains an unauthenticated file upload vulnerability in the third-party `uploadify.php` script. A remote attacker can upload arbitrary PHP files to a temporary directory without authentication, leading to remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
wp-propertywordpress_plugin<= 1.35.0

Detection & IOCsextracted from sources · hover to see the quote

pathuploadify.php
versionWP-Property <= 1.35.0
  • Monitor for unauthenticated POST requests targeting the uploadify.php script within the WP-Property plugin directory, particularly those uploading PHP files.
  • Alert on PHP files appearing in the WP-Property temporary upload directory without a corresponding authenticated session, as this indicates exploitation of the unauthenticated file upload vulnerability.
  • ·The vulnerability is limited to WP-Property versions up to and including 1.35.0; sites running later versions are not affected.
  • ·The vulnerable endpoint is the third-party uploadify.php script bundled with the plugin, not WordPress core itself.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.