The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded file types, allowing remote attackers to upload malicious PHP scripts to a predictable temporary directory. Once uploaded, the attacker can execute the file via a direct HTTP GET request, resulting in remote code execution under the web server’s context.
History

Thu, 07 Aug 2025 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Asset-manager
Asset-manager asset-manager Wordpress Plugin
Wordpress
Wordpress wordpress
Vendors & Products Asset-manager
Asset-manager asset-manager Wordpress Plugin
Wordpress
Wordpress wordpress

Tue, 05 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Description The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded file types, allowing remote attackers to upload malicious PHP scripts to a predictable temporary directory. Once uploaded, the attacker can execute the file via a direct HTTP GET request, resulting in remote code execution under the web server’s context.
Title WordPress Plugin Asset-Manager <= 2.0 PHP File Upload
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-08-05T20:06:23.563Z

Updated: 2025-08-05T20:06:23.563Z

Reserved: 2025-08-05T15:56:05.520Z

Link: CVE-2012-10026

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-05T20:15:33.377

Modified: 2025-08-05T21:06:02.657

Link: CVE-2012-10026

cve-icon Redhat

No data.