A critical (CVSS 9.8) remote code execution flaw in the WordPress Seotheme allows unauthenticated attackers to upload and execute arbitrary PHP, fully compromising affected sites.
What Is It
CVE-2023-54352 is an unauthenticated remote code execution vulnerability in the WordPress Seotheme. The root cause is missing authentication (CWE-306) on a file upload path, which permits any network-based attacker to drop malicious PHP files directly into the theme directory. Once written, the attacker invokes the uploaded shell at /wp-content/themes/seotheme/mar.php to execute arbitrary system commands and stage additional payloads for persistence.
The flaw is trivially exploitable: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H shows it is reachable over the network, requires no privileges, and needs no user interaction. A secondary CVSS 4.0 score of 9.3 (CRITICAL) is also published.
Why It Matters
This is a pre-auth RCE in a public-facing WordPress theme, which puts every exposed install one HTTP request away from full server compromise. With confidentiality, integrity, and availability all rated HIGH, a successful exploit yields arbitrary command execution under the webserver account, enabling data theft, site defacement, web-shell persistence, and pivoting into adjacent infrastructure. A public exploit is already indexed on Exploit-DB (EDB-ID 51789), lowering the barrier for opportunistic mass-scanning and commodity attacker reuse.
CISA KEV does not currently list this CVE, so there is no government-confirmed evidence of active exploitation at time of writing, but the combination of a public exploit and unauthenticated access vector typically attracts in-the-wild abuse quickly.
What's Vulnerable
- Product: WordPress Seotheme (third-party WordPress theme)
- Attack surface: theme directory file upload reachable at
/wp-content/themes/seotheme/ - Indicator of compromise to look for: presence of
mar.php(or other unexpected PHP) underwp-content/themes/seotheme/
No specific affected version range or CPE list is published in the supplied NVD record.
Patch Status
The supplied NVD record does not list a vendor patch, fixed version, or vendor advisory. Until upstream guidance is published, defenders should treat any internet-exposed Seotheme installation as at risk: remove or replace the theme, block external write access to wp-content/themes/seotheme/, and hunt for unexpected PHP files (notably mar.php) in that directory as a compromise indicator.