CVE-2012-10064 | THREATINT

Description

Omni Secure Files plugin versions prior to 0.1.14 contain an arbitrary file upload vulnerability in the bundled plupload example endpoint. The /wp-content/plugins/omni-secure-files/plupload/examples/upload.php handler allows unauthenticated uploads without enforcing safe file type restrictions, enabling an attacker to place attacker-controlled files under the plugin's uploads directory. This can lead to remote code execution if a server-executable file type is uploaded and subsequently accessed.

PUBLISHED Reserved 2026-01-16 | Published 2026-01-16 | Updated 2026-01-16 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Default status

unaffected

Any version before 0.1.14

affected

Timeline

2012-06-07:

Vulnerability was publicly disclosed

Credits

Adrien Thierry finder

References

wpscan.com/...rability/376fd666-6471-479c-9b74-1d8088a33e89/ exploit

wpscan.com/...rability/376fd666-6471-479c-9b74-1d8088a33e89/ third-party-advisory

www.wordfence.com/...secure-files-0113-arbitrary-file-upload third-party-advisory patch

wordpress.org/plugins/omni-secure-files/ product

www.acunetix.com/...upload-php-arbitrary-file-upload-0-1-13/ third-party-advisory

web.archive.org/...12632/http://secunia.com/advisories/49441 third-party-advisory

packetstorm.news/files/id/113411 exploit

www.exploit-db.com/exploits/19009 exploit

web.archive.org/.../https://www.securityfocus.com/bid/53872/ third-party-advisory

www.vulncheck.com/...s-unauthenticated-arbitrary-file-upload third-party-advisory

cve.org (CVE-2012-10064)

nvd.nist.gov (CVE-2012-10064)

Download JSON

help @ threatint.eu