The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded file types, allowing remote attackers to upload malicious PHP scripts to a predictable temporary directory. Once uploaded, the attacker can execute the file via a direct HTTP GET request, resulting in remote code execution under the web server’s context.
Metrics
Affected Vendors & Products
References
History
Thu, 07 Aug 2025 07:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Asset-manager
Asset-manager asset-manager Wordpress Plugin Wordpress Wordpress wordpress |
|
Vendors & Products |
Asset-manager
Asset-manager asset-manager Wordpress Plugin Wordpress Wordpress wordpress |
Tue, 05 Aug 2025 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded file types, allowing remote attackers to upload malicious PHP scripts to a predictable temporary directory. Once uploaded, the attacker can execute the file via a direct HTTP GET request, resulting in remote code execution under the web server’s context. | |
Title | WordPress Plugin Asset-Manager <= 2.0 PHP File Upload | |
Weaknesses | CWE-434 | |
References |
|
|
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: VulnCheck
Published: 2025-08-05T20:06:23.563Z
Updated: 2025-08-05T20:06:23.563Z
Reserved: 2025-08-05T15:56:05.520Z
Link: CVE-2012-10026

No data.

Status : Awaiting Analysis
Published: 2025-08-05T20:15:33.377
Modified: 2025-08-05T21:06:02.657
Link: CVE-2012-10026

No data.