CVE-2023-54350 Overview
CVE-2023-54350 is an unauthenticated remote code execution vulnerability in the WordPress Augmented-Reality plugin. The flaw resides in the bundled elFinder connector, which exposes file management functionality without authentication checks [CWE-306]. Attackers send POST requests to the connector.minimal.php endpoint using mkfile and put commands to write arbitrary PHP files into the file_manager directory. Once written, the attacker requests the file directly through the web server to execute attacker-controlled code under the web server user. The vulnerability requires no privileges, no user interaction, and is reachable over the network.
Critical Impact
Unauthenticated attackers can upload and execute arbitrary PHP files on WordPress sites running the Augmented-Reality plugin, leading to full site compromise.
Affected Products
- WordPress Augmented-Reality plugin
- WordPress sites with the plugin's elFinder connector exposed
- Web servers hosting the vulnerable connector.minimal.php endpoint
Discovery Timeline
- 2026-06-08 - CVE-2023-54350 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2023-54350
Vulnerability Analysis
The Augmented-Reality plugin ships a copy of the elFinder file manager and exposes its connector script at a predictable path within the plugin directory. The connector accepts standard elFinder commands over HTTP POST, including commands that create new files and write arbitrary content into them. Because the plugin does not enforce WordPress authentication or capability checks before dispatching commands, any unauthenticated client on the network can invoke file operations. The connector also fails to restrict the file extensions and MIME types it accepts, allowing PHP files to be written into a web-accessible directory.
Root Cause
The root cause is missing authentication on a privileged file-management interface [CWE-306]. The elFinder connector was integrated into the plugin without wrapping its endpoints in WordPress access control. There is no nonce check, no current_user_can() gate, and no extension allowlist. Combined with a writable directory served directly by the web server, this turns a file manager into an arbitrary code execution primitive.
Attack Vector
The attack is purely network-based. An attacker issues a POST request to the plugin's connector.minimal.php with cmd=mkfile to create a .php file inside the file_manager directory, followed by a cmd=put request to write PHP payload content into that file. The attacker then issues a GET request to the newly created PHP file, causing the web server to execute the payload. Full technical details and a working proof of concept are documented in Exploit-DB #51788 and the VulnCheck Advisory for WordPress Plugin.
Detection Methods for CVE-2023-54350
Indicators of Compromise
- POST requests to URLs containing connector.minimal.php with cmd=mkfile or cmd=put parameters from unauthenticated clients.
- Newly created .php files inside the plugin's file_manager directory that were not part of the original plugin distribution.
- Outbound connections or system(), exec(), or passthru() activity originating from the WordPress PHP worker shortly after suspicious POST requests.
Detection Strategies
- Inspect web server access logs for requests to connector.minimal.php with elFinder command parameters from external sources.
- Monitor file integrity on the plugin's upload and file_manager directories for unexpected PHP file creation.
- Alert on PHP processes spawning shell interpreters or network utilities such as sh, bash, curl, or wget.
Monitoring Recommendations
- Forward WordPress, web server, and host process telemetry to a centralized analytics platform for correlation.
- Track child processes of the web server user (www-data, apache, nginx) and flag deviations from a known-good baseline.
- Review plugin directories weekly for files modified outside of patch or update windows.
How to Mitigate CVE-2023-54350
Immediate Actions Required
- Disable or remove the WordPress Augmented-Reality plugin until a vendor-supplied fix is confirmed in place.
- Block external HTTP access to any path containing connector.minimal.php at the web server or WAF layer.
- Audit the plugin's file_manager directory and remove any PHP files that were not part of the original plugin package.
Patch Information
No vendor advisory or fixed version is referenced in the NVD record for CVE-2023-54350. Administrators should consult the VulnCheck Advisory for WordPress Plugin and the WordPress plugin repository for current status before reinstating the plugin.
Workarounds
- Deny direct web access to the plugin's elFinder connector using web server rules.
- Configure the web server to refuse PHP execution within upload and file_manager directories.
- Restrict access to /wp-content/plugins/ paths to authenticated administrators where operationally feasible.
# Apache .htaccess example to block the vulnerable endpoint and disable PHP execution in the file_manager directory
<FilesMatch "connector\.minimal\.php$">
Require all denied
</FilesMatch>
<Directory "/var/www/html/wp-content/plugins/augmented-reality/file_manager">
php_admin_flag engine off
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
