WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.
Security readout for executives and security teams
Plain-English summary
This is an unauthenticated remote code execution issue in the WordPress Augmented Reality plugin version 7.0. An attacker could place executable PHP on the site through an exposed file manager component, potentially taking control of the WordPress server. Public exploit information exists, but active exploitation is not confirmed in the provided sources.
Executive priority
Treat this as urgent for any public WordPress site using the affected plugin. Unauthenticated code execution can become full site compromise, but urgency should be scoped to confirmed plugin presence.
Technical view
CVE-2023-54350 affects webandprint Augmented Reality 7.0 for WordPress. The issue is missing authentication around an elFinder connector, categorized as CWE-306. The CVSS 4.0 score is 8.7. The provided description says attackers can create and execute arbitrary PHP files in the plugin file manager area.
Likely exposure
Exposure is limited to WordPress sites running the webandprint Augmented Reality plugin version 7.0 with the vulnerable elFinder connector reachable. Internet-facing WordPress deployments have the highest practical risk.
Exploitation context
ExploitDB is listed as a public exploit reference, so defenders should assume exploitation knowledge is publicly available. The bundle does not show CISA KEV listing or confirmed in-the-wild exploitation.
Researcher notes
The record identifies version 7.0 and CWE-306, with CVSS 4.0 vector AV:N/AC:L/PR:N/UI:N. The sources do not provide a confirmed patched version or active exploitation evidence. Avoid assuming other plugin versions are affected without vendor confirmation.
Mitigation direction
Identify WordPress sites using Augmented Reality plugin version 7.0.
Disable or remove the plugin until vendor guidance is confirmed.
Check vendor or WordPress plugin guidance for a fixed version.
Restrict access to the vulnerable connector if removal is not immediately possible.
Investigate suspected compromise before restoring normal service.
Validation and detection
Inventory installed WordPress plugins and confirm Augmented Reality plugin versions.
Review web logs for access to the elFinder connector endpoint.
Inspect the plugin file manager directory for unexpected PHP files.
Check for suspicious WordPress admin users, modified themes, or altered plugin files.
Confirm whether remediation follows vendor guidance once available.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-306: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-306 · source CWE mapping
Missing Authentication for Critical Function
Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.