Cyber Posture

CVE-2012-10019

CriticalPublic PoC

Published: 19 July 2025

Published
19 July 2025
Modified
19 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6797 98.6th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-10019 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Scribu Front-End Editor. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2012-10019 by remediating the flaw through updating the Front End Editor plugin to version 2.3 or later, which adds file type validation.

SI-10 Information Input Validation good match
prevent

Prevents arbitrary file uploads by enforcing information input validation mechanisms to check file types in the upload.php endpoint.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Identifies CVE-2012-10019 in vulnerable WordPress plugins via vulnerability scanning, facilitating timely flaw remediation.

NVD Description

The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the…

more

affected sites server which may make remote code execution possible.

Deeper analysisAI

CVE-2012-10019 is an arbitrary file upload vulnerability in the Front End Editor plugin for WordPress, affecting versions prior to 2.3. The flaw arises from missing file type validation in the upload.php file, allowing attackers to upload arbitrary files to the affected site's server. Classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for high-impact exploitation.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction or privileges required. Successful exploitation enables the upload of malicious files, which may lead to remote code execution on the server, granting full control over the compromised WordPress site.

Advisories recommend updating the Front End Editor plugin to version 2.3 or later to mitigate the issue by implementing proper file type validation. Patch details are documented in the WordPress plugin trac changeset transitioning to the fixed version, with additional analysis available from sources like Packet Storm Security, the archived OpenSyscom advisory, Cybersecurity-Help, and Wordfence threat intelligence.

Details

CWE(s)
CWE-434

Affected Products

scribu
front-end editor
≤ 2.3

CVEs Like This One

CVE-2021-35485Shared CWE-434
CVE-2020-36942Shared CWE-434
CVE-2025-34299Shared CWE-434
CVE-2025-26411Shared CWE-434
CVE-2024-57169Shared CWE-434
CVE-2023-53933Shared CWE-434
CVE-2025-68909Shared CWE-434
CVE-2021-47757Shared CWE-434
CVE-2025-68986Shared CWE-434
CVE-2025-56704Shared CWE-434

References