What the vulnerability does
01Description
WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.
Explanation of Vulnerability in Simple Terms
02Summary
A missing authentication vulnerability in webandprint Augmented Reality allows unauthenticated network attackers to access sensitive information. The vulnerability requires no user interaction and can be exploited remotely with low complexity. Affected versions are 7.0 and later. The vendor has not released a patch.
What an attacker can do
03Attacker Capabilities
Read sensitive data without logging in.
Potential impact on your site
04Site Impact
Confidential information may be exposed to anyone on the internet.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 8, 2026
CVE published
June 9, 2026
Record updated