CVE Catalog

CVE-2023-54350

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Summary

The Augmented-Reality plugin for WordPress contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.

Risk Assessment

This vulnerability poses a serious risk to organizations by allowing attackers to remotely execute code on the server, potentially leading to system takeover. Consequently, this could result in data loss, file deletion, or other malicious activities.

Recommendation

It is recommended to immediately update the Augmented-Reality plugin to the latest version to mitigate this vulnerability. Additionally, it is advisable to restrict access to the connector.minimal.php endpoint and monitor server logs for potential attack attempts.

Original NVD description (English source)

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS