Security Advisory - Published 2026-06-08 - WordPress RCE

WordPress Seotheme CVE-2023-54352: Unauthenticated RCE Self-Check

CVE-2023-54352 maps to a public WordPress Seotheme unauthenticated remote code execution issue. The public exploit trail checks for a PHP shell named mar.php under /wp-content/themes/seotheme/, and also checks the related /wp-content/plugins/seoplugins/ path. If either path exists on your site, treat this as a compromise check, not just a theme update.

Scope: This guide is for WordPress owners and defenders. It does not include upload requests, shell code, or exploitation steps. Use it to identify exposed files, preserve logs, and decide whether cleanup is needed.

What is affected

  • Product: WordPress sites using the third-party Seotheme theme or related SEO plugin path
  • CVE: CVE-2023-54352
  • Severity: CVSS 9.8 critical in the current alert feed
  • Attack surface: unauthenticated remote code execution through malicious file upload / shell placement
  • Public exploit signal: yes, public exploit listing exists
  • Known exploited in CISA KEV: no, as of this publication

The exploit code was public before this CVE alert appeared in the monitor. That matters for old WordPress sites: scanners may already know the file names and paths even if the CVE ID looks newly published.

10-minute self-check

Step 1: Check whether Seotheme exists

From the WordPress root, look for the theme and related plugin directory:

cd /path/to/wordpress
find wp-content/themes wp-content/plugins -maxdepth 2 \( -iname "seotheme" -o -iname "seoplugins" \) -type d 2>/dev/null

If either directory exists and you do not know why, keep it in place for a moment and collect evidence before deleting files.

Step 2: Hunt the public shell indicator

Check the paths used by public exploit scanners:

find wp-content/themes/seotheme wp-content/plugins/seoplugins -maxdepth 2 -type f -iname "mar.php" -ls 2>/dev/null

A match is highly suspicious. Save the path, timestamp, owner, and hash before cleanup:

sha256sum wp-content/themes/seotheme/mar.php 2>/dev/null
stat wp-content/themes/seotheme/mar.php 2>/dev/null

Step 3: Look for recently changed theme/plugin PHP files

WordPress themes normally contain PHP files, so do not delete every PHP file you see. Focus on unexpected filenames, recent timestamps, and files that do not belong to a clean copy of the theme:

find wp-content/themes/seotheme wp-content/plugins/seoplugins -type f -mtime -30 -ls 2>/dev/null

Step 4: Review web logs

Search access logs for direct requests to the suspicious shell path:

grep -R "wp-content/themes/seotheme/mar.php\|wp-content/plugins/seoplugins/mar.php" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -80

If the path returned 200 or shows POST requests, treat the site as compromised. Preserve web logs and WordPress debug logs before replacing files.

Step 5: Check WordPress state

  • Unexpected administrator users
  • New plugin or theme folders you did not install
  • Modified wp-config.php, .htaccess, or mu-plugins
  • New cron jobs or scheduled tasks under the hosting account
  • Outbound spam, redirects, SEO spam, or unknown PHP files in uploads

Safe fix path

  1. Put the site in maintenance mode or restrict access. Stop public traffic if shell execution is confirmed.
  2. Preserve evidence first. Copy suspicious files and logs before deleting anything.
  3. Remove abandoned Seotheme/seoplugins code. If it is not used, delete it after evidence capture.
  4. Restore from clean sources. Reinstall WordPress core, active themes, and plugins from trusted sources.
  5. Rotate credentials. Change WordPress admins, database password, SFTP/SSH, hosting panel, and API keys.
  6. Harden file writes. Disable file editing and keep theme/plugin files owned by the right user.

Temporary hardening

If you cannot clean immediately, block the known shell path while you preserve evidence and plan a proper rebuild:

location ~ ^/wp-content/(themes/seotheme|plugins/seoplugins)/mar\.php$ {
    return 403;
}

This is only a stopgap. If the shell was uploaded once, there may be other files and stolen credentials.

When to treat it as an incident

  • mar.php exists under the Seotheme or seoplugins path.
  • Logs show successful requests to the shell path.
  • Unknown admins, plugin installs, redirects, or modified PHP files appear.
  • The same hosting account runs multiple WordPress sites with shared credentials.
  • You cannot identify when the theme/plugin directory was added.

Ping7 repair path

Ping7 can run a WordPress compromise check for this issue: shell hunt, log review, admin/user audit, cleanup notes, and a hardening pass. Start from CVE Repair and include the domain, hosting type, and whether wp-content/themes/seotheme exists.

References