CVE-2023-54350
Severity CVSS v4.0:
HIGH
Type:
CWE-306
Missing Authentication for Critical Function
Publication date:
08/06/2026
Last modified:
08/06/2026
Description
WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.
Impact
Base Score 4.0
8.70
Severity 4.0
HIGH
Base Score 3.x
7.50
Severity 3.x
HIGH



