Description
WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.
Published: 2026-06-08
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress Augmented‑Reality plugin contains a flaw in the elFinder connector that allows an attacker to upload and execute arbitrary PHP code without authentication. By sending specially crafted POST requests to the connector.minimal.php endpoint with mkfile and put parameters a malicious file can be created in the file_manager directory and then executed on the server. This remote code execution capability can compromise the entire server, enabling full system control for a non‑authenticated attacker. The weakness is a missing authentication check (CWE‑306).

Affected Systems

The affected component is the WordPress Augmented Reality plugin (webandprint ar) version 7.0, distributed as a WordPress plugin and running on any WordPress site that has installed it. The vulnerability arises from the elFinder connector included in that plugin. Only installations that use this version and have the connector enabled are at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. No EPSS score is published, so the public exploitation likelihood is unclear, and the vulnerability is not currently listed in CISA's KEV catalog. Attackers can exploit the flaw remotely over HTTP by sending a POST request to connector.minimal.php, no user interaction or local privileges are required, and no network restrictions are implied, making it potentially exploitable from the Internet.

Generated by OpenCVE AI on June 8, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WordPress Augmented‑Reality plugin to the latest patched version released by Webandprint.
  • If an update is not yet available, disable or remove the elFinder connector to block unauthenticated file uploads.
  • Restrict access to the connector.minimal.php endpoint and enforce authentication, for example by adding .htaccess rules or PHP checks.

Generated by OpenCVE AI on June 8, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.
Title WordPress Augmented-Reality Plugin Remote Code Execution Unauthenticated
First Time appeared Webandprint
Webandprint ar
Weaknesses CWE-306
CPEs cpe:2.3:a:webandprint:ar:7.0:*:*:*:*:wordpress:*:*
Vendors & Products Webandprint
Webandprint ar
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Webandprint Ar
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T01:55:28.450Z

Reserved: 2026-01-10T01:51:52.987Z

Link: CVE-2023-54350

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T02:16:22.810

Modified: 2026-06-08T02:16:22.810

Link: CVE-2023-54350

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T03:30:16Z

Weaknesses