CVE-2012-10019
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-19

Last updated on: 2025-12-19

Assigner: Wordfence

Description
The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-19
Last Modified
2025-12-19
Generated
2026-05-06
AI Q&A
2025-07-19
EPSS Evaluated
2026-05-05
NVD
CVE-2012-10019
EUVD
EUVD-2012-6565
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
scribu front-end_editor to 2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Front End Editor plugin for WordPress (versions before 2.3) and allows unauthenticated attackers to upload arbitrary files to the affected server due to missing file type validation in the upload.php file. This means attackers can upload malicious files, such as web shells, which can then be executed remotely, potentially leading to full compromise of the WordPress site. [1, 2]


How can this vulnerability impact me? :

The impact of this vulnerability is severe. An attacker can upload and execute arbitrary files on the server, leading to remote code execution. This can result in full control over the affected WordPress installation, compromising confidentiality, integrity, and availability of the site and its data. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking for the presence of the vulnerable upload endpoint at `/wp-content/plugins/front-end-editor/lib/aloha-editor/plugins/extra/draganddropfiles/demo/upload.php` on your WordPress site. Additionally, you can search your web server logs for POST requests to this path, especially those with unusual file upload attempts or requests containing the header `X-File-Name` with suspicious filenames like `lo.php`. A Google dork `inurl:/wp-content/plugins/front-end-editor/` can be used to find potentially vulnerable sites. For example, using curl to test the upload endpoint: `curl -v -X POST -H "Content-Type: application/octet-stream" -H "X-File-Name: test.php" --data-binary @test.php http://yourwordpresssite/wp-content/plugins/front-end-editor/lib/aloha-editor/plugins/extra/draganddropfiles/demo/upload.php` can help verify if arbitrary file uploads are possible. [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the Front End Editor plugin to version 2.3 or later, which includes proper file type validation to prevent arbitrary file uploads. Until the update can be applied, you should restrict access to the vulnerable upload.php file, for example by disabling or restricting HTTP POST requests to `/wp-content/plugins/front-end-editor/lib/aloha-editor/plugins/extra/draganddropfiles/demo/upload.php` via web server configuration or firewall rules. Monitoring and removing any suspicious uploaded files is also recommended. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart