HIGH 7.5

CVE-2023-54350: WordPress Augmented-Reality Plugin Remote Code Execution

The WordPress Augmented-Reality plugin contains a critical flaw in its elFinder file manager connector that allows anyone on the internet to upload and run malicious PHP code on affected servers without needing to log in. An attacker can craft special requests to the connector.minimal.php file, use commands to create files, and then execute those files—giving them the ability to take over the server.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-306
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2023-54350 is a remote code execution vulnerability in the WordPress Augmented-Reality plugin's elFinder connector. The vulnerability stems from insufficient authentication controls on the connector.minimal.php endpoint (CWE-306: Missing Authentication for Critical Function). Attackers can send unauthenticated POST requests using mkfile and put commands to write arbitrary PHP files into the file_manager directory, then trigger execution of those files on the web server. The attack requires no user interaction, no special privileges, and works over the network, resulting in a CVSS 3.1 score of 7.5 (HIGH severity with confidentiality impact).

Business impact

Successful exploitation grants an attacker arbitrary code execution on the web server hosting the WordPress installation. This permits data theft from the database, modification or deletion of site content, installation of backdoors for persistence, lateral movement into internal networks, and potential use of the compromised server as a staging ground for attacks on other systems. For organizations relying on WordPress for customer-facing applications or sensitive operations, this vulnerability represents an immediate path to full compromise.

Affected systems

WordPress installations with the Augmented-Reality plugin installed are affected. The vulnerability is unauthenticated and network-reachable, meaning any WordPress site with this plugin active is vulnerable by default unless network-level access controls restrict traffic to the vulnerable endpoint. Organizations should inventory their WordPress instances to identify those using this plugin and its current version.

Exploitability

This vulnerability is highly exploitable. It requires no authentication, no special configuration, and can be triggered with basic HTTP POST requests. The attack is straightforward: an attacker sends a crafted request to a known endpoint (connector.minimal.php) with file creation and execution commands. Public documentation or basic reverse-engineering of the elFinder connector could enable rapid weaponization. The lack of any authentication barrier makes this a critical priority for immediate remediation.

Remediation

The primary remediation is to update the WordPress Augmented-Reality plugin to a patched version that fixes the authentication bypass in the elFinder connector. Until a patch is available or deployable, disable or remove the Augmented-Reality plugin entirely. If the plugin is essential, restrict network access to the connector.minimal.php endpoint using a Web Application Firewall (WAF) or network ACLs to allow only authorized users or IP ranges. Additionally, implement general WordPress hardening: disable file editing, restrict plugin/theme uploads, and monitor the file_manager directory for unauthorized PHP files.

Patch guidance

Check the WordPress plugin repository and the plugin vendor's advisory for the specific patched version number that addresses CVE-2023-54350. Apply the patch immediately once available and verified. Verify the plugin update through the WordPress admin dashboard or via wp-cli. After patching, confirm that the file_manager directory has not been modified by an attacker and that no unauthorized PHP files exist in that location.

Detection guidance

Search web server access logs for POST requests to any endpoint containing 'connector.minimal.php' or similar elFinder connector paths. Look for requests with mkfile or put commands in the query string or POST body. Monitor the file_manager directory for unexpected PHP files created around the time of the vulnerability disclosure or after. Use web application firewalls to flag or block POST requests to connector.minimal.php from unauthenticated sources. File integrity monitoring (FIM) on the file_manager and WordPress root directories will alert if new PHP files are created.

Why prioritize this

This vulnerability scores 7.5 (HIGH) with a network attack vector, no authentication requirement, and direct confidentiality impact. The elFinder connector's public-facing nature and the simplicity of exploitation make this a top-tier priority. WordPress Augmented-Reality plugin users should treat this as critical and patch or disable immediately.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects: (1) Network Accessibility (AV:N)—the endpoint is reachable remotely; (2) Low Attack Complexity (AC:L)—no special conditions or user interaction needed; (3) No Privileges Required (PR:N)—unauthenticated attackers can exploit it; (4) No User Interaction (UI:N)—the attack is fully automated; (5) High Confidentiality Impact (C:H)—successful exploitation allows reading sensitive data. The absence of integrity and availability impacts in the vector reflects the focus on unauthorized access rather than data modification or denial of service, but in practice, full RCE enables all three impact types.

Frequently asked questions

Do I need to be a WordPress administrator to exploit this vulnerability?

No. The vulnerability is unauthenticated, meaning an attacker does not need any WordPress user account or administrative credentials. Anyone with network access to the vulnerable endpoint can exploit it.

What exactly can an attacker do if they successfully exploit this?

An attacker gains remote code execution (RCE) with the privileges of the web server process, typically the www-data or apache user. They can read files, modify site content, steal database credentials, install persistent backdoors, and potentially escape the web server context to compromise the underlying operating system or network.

Is there a temporary workaround if I cannot patch immediately?

Yes. Disable or deactivate the Augmented-Reality plugin if it is not essential. If you must keep it active, use a Web Application Firewall (WAF) or your web server configuration to block all POST requests to connector.minimal.php or deny access to the file_manager directory from untrusted sources. These are temporary measures; patching is mandatory.

How do I verify if my site was already compromised?

Check your web server access logs for POST requests to connector.minimal.php or similar paths from unknown IP addresses. Scan the file_manager directory for unexpected or suspicious PHP files with recent modification dates. Run a malware scanner on your WordPress installation and database. Monitor your hosting provider's abuse notifications and review user account creation logs for unfamiliar administrators.

This analysis is provided for informational purposes and based on the vulnerability description and CVSS vector data available as of the publication date. No specific patched versions, vendor advisories, or exploit code are provided or endorsed. Organizations should verify patch availability and compatibility with their environment before deployment. Network access logs, file integrity, and monitoring recommendations are general best practices and should be adapted to your specific infrastructure and security tooling. Always test patches in a non-production environment first. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).