CVE-2023-54350

HIGH

WordPress Augmented-Reality Plugin Remote Code Execution Unauthenticated

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-54350. PoCs published by Milad karimi.

AI-analyzed exploit summary This exploit targets a file upload vulnerability in the WordPress Augmented-Reality plugin, allowing unauthenticated remote code execution by uploading a malicious PHP file via the elfinder connector. The script automates the process of creating a file, uploading a reverse shell, and verifying its accessibility.

Description

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.

Exploits (1)

exploitdb WORKING POC

by Milad karimi · pythonwebappsphp

https://www.exploit-db.com/exploits/51788

View Code ZIP pw:eip

This exploit targets a file upload vulnerability in the WordPress Augmented-Reality plugin, allowing unauthenticated remote code execution by uploading a malicious PHP file via the elfinder connector. The script automates the process of creating a file, uploading a reverse shell, and verifying its accessibility.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Augmented-Reality plugin (version not specified)

No auth needed

Prerequisites: Target must have the vulnerable WordPress Augmented-Reality plugin installed · The elfinder connector must be accessible at the expected path

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 08, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit exploit

ExploitDB-51788

https://www.exploit-db.com/exploits/51788

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Augmented-Reality Plugin Remote Code Execution Unauthenticated

https://www.vulncheck.com/advisories/wordpress-augmented-reality-plugin-remote-code-execution-unauthenticated

Scores

CVSS v3 7.5

EPSS 0.0053

EPSS Percentile 40.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (1)

webandprint/Augmented Reality 7.0

Published Jun 08, 2026

Tracked Since Jun 08, 2026