Login Sign Up

CVE-2023-23970

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers to upload arbitrary files, including malicious scripts, to WordPress sites using the Corsa theme. It affects all versions up to 1.5, potentially leading to remote code execution or site takeover. Users of the Corsa theme on WordPress are at risk.

💻 Affected Systems

Products:
  • WooRockets Corsa WordPress Theme
Versions: n/a through 1.5
Operating Systems: All OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects WordPress installations with the Corsa theme active; no specific OS or server configuration required.

📦 What is this software?

Corsa by Woorockets

View all CVEs affecting Corsa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via remote code execution, allowing attackers to deface the site, steal data, or install backdoors.

🟠

Likely Case

Upload of web shells leading to unauthorized access, data manipulation, or malware distribution.

🟢

If Mitigated

Limited impact if file uploads are restricted or monitored, but still poses a risk of file system access.

🌐 Internet-Facing: HIGH, as WordPress themes are typically exposed to the internet, making exploitation straightforward.
🏢 Internal Only: LOW, unless the site is internally hosted and accessible only to trusted users.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploits are publicly available, and the vulnerability is easy to exploit without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.5 (check for updates from vendor)

Vendor Advisory: https://patchstack.com/database/vulnerability/corsa/wordpress-corsa-theme-1-5-arbitrary-file-upload

Restart Required: No

Instructions:

1. Update the Corsa theme to the latest version via WordPress admin panel. 2. If no update is available, remove the theme and replace with a secure alternative.

🔧 Temporary Workarounds

Disable File Uploads

all

Restrict file upload functionality in the theme or via server configuration.

Modify .htaccess to block uploads: <FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|php8|pl|py|jsp|asp|sh|cgi)">
Order Allow,Deny
Deny from all
</FilesMatch>

🧯 If You Can't Patch

  • Remove the Corsa theme and use a different, secure theme.
  • Implement web application firewall (WAF) rules to block malicious file uploads.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for Corsa theme version; if version is 1.5 or earlier, it is vulnerable.

Check Version:

In WordPress, go to Appearance > Themes and check Corsa theme details.

Verify Fix Applied:

After updating, confirm the theme version is above 1.5 and test file upload functionality for restrictions.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to theme directories, especially .php or .phtml files.
  • HTTP POST requests to upload endpoints with suspicious filenames.

Network Indicators:

  • Traffic spikes to upload scripts, unexpected outbound connections from the server.

SIEM Query:

Example: source="web_server" AND (uri_path="/wp-content/themes/corsa/upload.php" OR file_extension="php")

📊 Metadata

CVE ID: CVE-2023-23970
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-434
Published: December 20, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23970, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)