CVE-2012-10026
WordPress Plugin Asset-Manager <= 2.0 PHP File Upload
CVSS Score
0.0
EPSS Score
69.7%
EPSS Percentile
99th
The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded file types, allowing remote attackers to upload malicious PHP scripts to a predictable temporary directory. Once uploaded, the attacker can execute the file via a direct HTTP GET request, resulting in remote code execution under the web serverβs context.
| CWE | CWE-434 |
| Vendor | jkriddle |
| Product | asset-manager |
| Published | Aug 5, 2025 |
| Last Updated | May 28, 2026 |
Stay Ahead of the Next One
Get instant alerts for jkriddle asset-manager
Be the first to know when new unknown vulnerabilities affecting jkriddle asset-manager are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
jkriddle / asset-manager
0 β€ 2.0
References
raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb exploit-db.com: https://www.exploit-db.com/exploits/18993 exploit-db.com: https://www.exploit-db.com/exploits/23652 web.archive.org: http://web.archive.org/web/20150106144832/http://www.opensyscom.fr:80/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html wordpress.org: https://wordpress.org/plugins/asset-manager/ vulncheck.com: https://www.vulncheck.com/advisories/wordpress-plugin-asset-manager-php-file-upload
Credits
Sammy FORGIT