Security Advisory - Published 2026-06-08 - WordPress RCE
WordPress Seotheme CVE-2023-54352: Unauthenticated RCE Self-Check
CVE-2023-54352 maps to a public WordPress Seotheme unauthenticated remote code
execution issue. The public exploit trail checks for a PHP shell named
mar.php under /wp-content/themes/seotheme/, and also
checks the related /wp-content/plugins/seoplugins/ path. If either
path exists on your site, treat this as a compromise check, not just a theme update.
What is affected
- Product: WordPress sites using the third-party Seotheme theme or related SEO plugin path
- CVE: CVE-2023-54352
- Severity: CVSS 9.8 critical in the current alert feed
- Attack surface: unauthenticated remote code execution through malicious file upload / shell placement
- Public exploit signal: yes, public exploit listing exists
- Known exploited in CISA KEV: no, as of this publication
The exploit code was public before this CVE alert appeared in the monitor. That matters for old WordPress sites: scanners may already know the file names and paths even if the CVE ID looks newly published.
10-minute self-check
Step 1: Check whether Seotheme exists
From the WordPress root, look for the theme and related plugin directory:
cd /path/to/wordpress
find wp-content/themes wp-content/plugins -maxdepth 2 \( -iname "seotheme" -o -iname "seoplugins" \) -type d 2>/dev/null If either directory exists and you do not know why, keep it in place for a moment and collect evidence before deleting files.
Step 2: Hunt the public shell indicator
Check the paths used by public exploit scanners:
find wp-content/themes/seotheme wp-content/plugins/seoplugins -maxdepth 2 -type f -iname "mar.php" -ls 2>/dev/null A match is highly suspicious. Save the path, timestamp, owner, and hash before cleanup:
sha256sum wp-content/themes/seotheme/mar.php 2>/dev/null
stat wp-content/themes/seotheme/mar.php 2>/dev/null Step 3: Look for recently changed theme/plugin PHP files
WordPress themes normally contain PHP files, so do not delete every PHP file you see. Focus on unexpected filenames, recent timestamps, and files that do not belong to a clean copy of the theme:
find wp-content/themes/seotheme wp-content/plugins/seoplugins -type f -mtime -30 -ls 2>/dev/null Step 4: Review web logs
Search access logs for direct requests to the suspicious shell path:
grep -R "wp-content/themes/seotheme/mar.php\|wp-content/plugins/seoplugins/mar.php" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -80 If the path returned 200 or shows POST requests, treat the site as compromised. Preserve web logs and WordPress debug logs before replacing files.
Step 5: Check WordPress state
- Unexpected administrator users
- New plugin or theme folders you did not install
- Modified
wp-config.php,.htaccess, or mu-plugins - New cron jobs or scheduled tasks under the hosting account
- Outbound spam, redirects, SEO spam, or unknown PHP files in uploads
Safe fix path
- Put the site in maintenance mode or restrict access. Stop public traffic if shell execution is confirmed.
- Preserve evidence first. Copy suspicious files and logs before deleting anything.
- Remove abandoned Seotheme/seoplugins code. If it is not used, delete it after evidence capture.
- Restore from clean sources. Reinstall WordPress core, active themes, and plugins from trusted sources.
- Rotate credentials. Change WordPress admins, database password, SFTP/SSH, hosting panel, and API keys.
- Harden file writes. Disable file editing and keep theme/plugin files owned by the right user.
Temporary hardening
If you cannot clean immediately, block the known shell path while you preserve evidence and plan a proper rebuild:
location ~ ^/wp-content/(themes/seotheme|plugins/seoplugins)/mar\.php$ {
return 403;
} This is only a stopgap. If the shell was uploaded once, there may be other files and stolen credentials.
When to treat it as an incident
mar.phpexists under the Seotheme or seoplugins path.- Logs show successful requests to the shell path.
- Unknown admins, plugin installs, redirects, or modified PHP files appear.
- The same hosting account runs multiple WordPress sites with shared credentials.
- You cannot identify when the theme/plugin directory was added.
Ping7 repair path
Ping7 can run a WordPress compromise check for this issue: shell hunt, log review,
admin/user audit, cleanup notes, and a hardening pass. Start from
CVE Repair and include the domain, hosting type, and
whether wp-content/themes/seotheme exists.