CVE-2012-6649

CRITICAL

WordPress WP GPX Maps Plugin 1.1.21 - Remote Code Execution via Unrestricted File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-6649. PoCs published by Adrien Thierry.

AI-analyzed exploit summary This exploit leverages an arbitrary file upload vulnerability in WordPress wp-gpx-maps plugin version 1.1.21. By manipulating the `realGpxPath`, `target_path`, and `gpxRegEx` parameters, an attacker can upload malicious files to the server.

Description

WordPress WP GPX Maps Plugin 1.1.21 allows remote attackers to execute arbitrary PHP code via improper file upload.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Adrien Thierry · textwebappsphp

https://www.exploit-db.com/exploits/19050

View Code ZIP pw:eip

This exploit leverages an arbitrary file upload vulnerability in WordPress wp-gpx-maps plugin version 1.1.21. By manipulating the `realGpxPath`, `target_path`, and `gpxRegEx` parameters, an attacker can upload malicious files to the server.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress wp-gpx-maps plugin version 1.1.21

No auth needed

Prerequisites: Access to the vulnerable plugin URL

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/53909

Mailing List, Third Party Advisory x_refsource_misc

http://www.openwall.com/lists/oss-security/2014/06/26/4

Scores

CVSS v3 9.8

EPSS 0.3769

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

devfarm/wp_gpx_maps 1.1.21

Published Jan 23, 2020

Tracked Since Feb 18, 2026