The WordPress Augmented-Reality plugin is vulnerable to unauthenticated remote code execution, posing an immediate threat to site integrity.

This is a remote code execution vulnerability located in the elFinder connector. Unauthenticated attackers can send specifically crafted POST requests to the connector.minimal.php endpoint to upload and execute malicious PHP files.

A successful exploit grants the attacker the ability to execute arbitrary PHP code on the server, resulting in full site compromise, data theft, or the installation of backdoors. The CVSS score of 7.5 reflects the high impact of this vulnerability, as it requires no prior authentication to execute.

Immediate Action: Apply the vendor-provided patch immediately to fix the file upload vulnerability in the elFinder connector.

Proactive Monitoring: Inspect the web server's upload directories for unauthorized files and review server access logs for requests to connector.minimal.php.

Compensating Controls: Disable the elFinder connector if it is not required for site functionality and ensure that file upload directories are configured to prevent script execution.

Public Exploit Available: true

This vulnerability is critical due to its potential for total system takeover. Administrators must update the plugin immediately and audit their environments for any evidence of unauthorized file uploads that may have already occurred.