CVE-2023-54350

HIGH 7.5

WordPress Augmented-Reality Plugin Remote Code Execution Unauthenticated

CVSS Score

7.5

EPSS Score

0.1%

EPSS Percentile

23th

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.

CWE	CWE-306
Vendor	webandprint
Product	augmented reality
Published	Jun 8, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for webandprint augmented reality

Be the first to know when new high vulnerabilities affecting webandprint augmented reality are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

webandprint / Augmented Reality

7.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/51788 vulncheck.com: https://www.vulncheck.com/advisories/wordpress-augmented-reality-plugin-remote-code-execution-unauthenticated

Credits

Milad Karimi (Ex3ptionaL)