CVE-2023-54350NVD

Vulnerability Summary

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.

Severity Level

HIGH(7.5)

Published Date

Jun 8, 2026

Last Modified

Jun 9, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.08%Probability

Root Weakness (CWE)

N/A

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityNone

AvailabilityNone

External References

https://www.exploit-db.com/exploits/51788
https://www.vulncheck.com/advisories/wordpress-augmented-reality-plugin-remote-code-execution-unauthenticated

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2023-54350NVD

Vulnerability Summary

External References