cbcvebase.
CVE-2023-2745
published 2023-05-17

CVE-2023-2745: WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers…

PriorityP182medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.53%
99.6th percentile
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.

Affected

49 ranges· showing 25
VendorProductVersion rangeFixed in
debianwordpress< wordpress 6.1.6+dfsg1-0+deb12u1 (bookworm)wordpress 6.1.6+dfsg1-0+deb12u1 (bookworm)
wordpresswordpress< 4.1.384.1.38
wordpresswordpress
wordpresswordpress>= 0 < 5.7.11+dfsg1-0+deb11u15.7.11+dfsg1-0+deb11u1
wordpresswordpress>= 0 < 6.1.6+dfsg1-0+deb12u16.1.6+dfsg1-0+deb12u1
wordpresswordpress>= 0 < 6.2.1+dfsg1-16.2.1+dfsg1-1
wordpresswordpress>= 0 < 6.2.1+dfsg1-16.2.1+dfsg1-1
wordpresswordpress>= 4.2 < 4.2.354.2.35
wordpresswordpress>= 4.3 < 4.3.314.3.31
wordpresswordpress>= 4.4 < 4.4.304.4.30
wordpresswordpress>= 4.5 < 4.5.294.5.29
wordpresswordpress>= 4.6 < 4.6.264.6.26
wordpresswordpress>= 4.7 < 4.7.264.7.26
wordpresswordpress>= 4.8 < 4.8.224.8.22
wordpresswordpress>= 4.9 < 4.9.234.9.23
wordpresswordpress>= 5.0 < 5.0.195.0.19
wordpresswordpress>= 5.1 < 5.1.165.1.16
wordpresswordpress>= 5.2 < 5.2.185.2.18
wordpresswordpress>= 5.3 < 5.3.155.3.15
wordpresswordpress>= 5.4 < 5.4.135.4.13
wordpresswordpress>= 5.5 < 5.5.125.5.12
wordpresswordpress>= 5.6 < 5.6.115.6.11
wordpresswordpress>= 5.7 < 5.7.95.7.9
wordpresswordpress>= 5.8 < 5.8.75.8.7
wordpresswordpress>= 5.9 < 5.9.65.9.6

Detection & IOCsextracted from sources · hover to see the quote

url/wp-login.php?wp_lang=../../../../../../../wp-config.php
path../../../../../etc/passwd
commandGET /wp-login.php?wp_lang=<traversal_payload>
sigma
id: CVE-2023-2745
flow: http(1) && http(2)
matchers:
- contains(body, "/wp-content/plugins")
- contains_all(body_2, "DB_NAME", "DB_PASSWORD")
- status_code_2 == 200
  • Alert on responses to /wp-login.php?wp_lang=<traversal> that contain sensitive strings such as 'DB_NAME' or 'DB_PASSWORD', indicating successful wp-config.php exfiltration.
  • Alert on responses containing 'root:x:0:0:root' following a request with a traversal payload in wp_lang, indicating successful /etc/passwd read.
  • Flag upload of crafted .po/.mo translation files to the WordPress site, which could be chained with this traversal to achieve stored XSS.
  • ·The Nuclei template requires a valid WordPress login (username/password) for the second HTTP step (POST to /wp-login.php) before issuing the traversal request; unauthenticated-only detection will miss the authenticated variant.
  • ·The traversal depth required may vary by server configuration; the exploit PoC uses five levels (../../../../../) while the Nuclei template uses seven (../../../../../../../) — tune detection patterns accordingly.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
vendor_debian5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.