Platform
wordpress
Component
omni-secure-files
Fixed in
0.1.14
CVE-2012-10064 describes a critical Arbitrary File Access vulnerability affecting the Omni Secure Files plugin for WordPress. This flaw allows unauthenticated attackers to upload arbitrary files to the server, potentially enabling remote code execution. The vulnerability impacts versions of the plugin up to and including 0.1.13. A fix is available in version 0.1.14.
The primary impact of CVE-2012-10064 is the ability for an attacker to upload arbitrary files to a WordPress server. This can be exploited to upload web shells, allowing the attacker to execute arbitrary code on the server with the privileges of the web server user. Successful exploitation could lead to complete compromise of the web server, including data exfiltration, defacement, and further attacks against other systems on the network. The lack of file type validation makes this vulnerability particularly dangerous, as attackers can bypass common security measures.
CVE-2012-10064 was published in 2012 and has been known for a significant period. While no active campaigns specifically targeting this vulnerability have been publicly reported, the ease of exploitation and the potential impact make it a persistent risk, especially for older, unpatched WordPress installations. The vulnerability is not listed on KEV or EPSS. Public Proof-of-Concept (PoC) code is readily available, increasing the likelihood of exploitation.
Exploit Status
EPSS
0.51% (66% percentile)
CVSS Vector
The primary mitigation for CVE-2012-10064 is to immediately upgrade the Omni Secure Files plugin to version 0.1.14 or later. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, a Web Application Firewall (WAF) configured to block file uploads with suspicious extensions (e.g., .php, .exe, .asp) can provide a temporary layer of protection. Regularly scan the WordPress installation for unauthorized files.
Update to version 0.1.14, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2012-10064 is a critical vulnerability in the Omni Secure Files WordPress plugin allowing attackers to upload arbitrary files due to missing file type validation. This can lead to remote code execution and complete server compromise.
You are affected if you are using the Omni Secure Files plugin in WordPress version 0.1.13 or earlier. Check your plugin version immediately and upgrade if necessary.
Upgrade the Omni Secure Files plugin to version 0.1.14 or later. If upgrading is not possible, temporarily disable the plugin and consider using a WAF to block suspicious file uploads.
While no specific active campaigns are publicly known, the vulnerability's ease of exploitation and potential impact make it a persistent risk, especially for unpatched systems.
The official advisory is typically found on the WordPress plugin repository page for Omni Secure Files, or on the developer's website (if available). Search for 'Omni Secure Files CVE-2012-10064' to locate relevant information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.