Asset-Manager WP Plugin 2.0- File Upload RCE via upload.php
CVE-2012-10026 Published on August 5, 2025

WordPress Plugin Asset-Manager <= 2.0 PHP File Upload
The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded file types, allowing remote attackers to upload malicious PHP scripts to a predictable temporary directory. Once uploaded, the attacker can execute the file via a direct HTTP GET request, resulting in remote code execution under the web servers context.

NVD

Weakness Type

What is an Unrestricted File Upload Vulnerability?

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

CVE-2012-10026 has been classified to as an Unrestricted File Upload vulnerability or weakness.


Products Associated with CVE-2012-10026

stack.watch emails you whenever new vulnerabilities are published in Asset Manager Wordpress Plugin or HP Asset Manager. Just hit a watch button to start following.

 
 

Affected Versions

jkriddle asset-manager:

Exploit Probability

EPSS
1.19%
Percentile
64.42%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.