The WordPress Augmented‑Reality plugin contains a flaw in the elFinder connector that allows an attacker to upload and execute arbitrary PHP code without authentication. By sending specially crafted POST requests to the connector.minimal.php endpoint with mkfile and put parameters a malicious file can be created in the file_manager directory and then executed on the server. This remote code execution capability can compromise the entire server, enabling full system control for a non‑authenticated attacker. The weakness is a missing authentication check (CWE‑306).

The affected component is the WordPress Augmented Reality plugin (webandprint ar) version 7.0, distributed as a WordPress plugin and running on any WordPress site that has installed it. The vulnerability arises from the elFinder connector included in that plugin. Only installations that use this version and have the connector enabled are at risk.

The CVSS score of 8.7 indicates high severity. No EPSS score is published, so the public exploitation likelihood is unclear, and the vulnerability is not currently listed in CISA's KEV catalog. Attackers can exploit the flaw remotely over HTTP by sending a POST request to connector.minimal.php, no user interaction or local privileges are required, and no network restrictions are implied, making it potentially exploitable from the Internet.