{"id":"BIT-wordpress-2023-2745","summary":"WordPress Core \u003c 6.2.1 - Directory Traversal","details":"WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.","aliases":["BIT-wordpress-multisite-2023-2745","CVE-2023-2745"],"modified":"2026-04-09T10:00:11.375355Z","published":"2024-03-06T11:09:15.187Z","database_specific":{"cpes":["cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","cpe:2.3:a:wordpress:wordpress:6.2.0:*:*:*:*:*:*:*","cpe:2.3:a:wordpress:wordpress:6.2:*:*:*:*:*:*:*"],"severity":"Medium"},"references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/172426/WordPress-Core-6.2-XSS-CSRF-Directory-Traversal.html"},{"type":"WEB","url":"https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail="},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00024.html"},{"type":"WEB","url":"https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/"},{"type":"WEB","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2745"},{"type":"WEB","url":"https://www.exploit-db.com/exploits/52274"},{"type":"WEB","url":"https://www.wordfence.com/blog/2023/05/wordpress-core-6-2-1-security-maintenance-release-what-you-need-to-know/"}],"affected":[{"package":{"name":"wordpress","ecosystem":"Bitnami","purl":"pkg:bitnami/wordpress"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"4.1.38"},{"introduced":"4.2.0"},{"fixed":"4.2.35"},{"introduced":"4.3.0"},{"fixed":"4.3.31"},{"introduced":"4.4.0"},{"fixed":"4.4.30"},{"introduced":"4.5.0"},{"fixed":"4.5.29"},{"introduced":"4.6.0"},{"fixed":"4.6.26"},{"introduced":"4.7.0"},{"fixed":"4.7.26"},{"introduced":"4.8.0"},{"fixed":"4.8.22"},{"introduced":"4.9.0"},{"fixed":"4.9.23"},{"introduced":"5.0.0"},{"fixed":"5.0.19"},{"introduced":"5.1.0"},{"fixed":"5.1.16"},{"introduced":"5.2.0"},{"fixed":"5.2.18"},{"introduced":"5.3.0"},{"fixed":"5.3.15"},{"introduced":"5.4.0"},{"fixed":"5.4.13"},{"introduced":"5.5.0"},{"fixed":"5.5.12"},{"introduced":"5.6.0"},{"fixed":"5.6.11"},{"introduced":"5.7.0"},{"fixed":"5.7.9"},{"introduced":"5.8.0"},{"fixed":"5.8.7"},{"introduced":"5.9.0"},{"fixed":"5.9.6"},{"introduced":"6.0.0"},{"fixed":"6.0.4"},{"introduced":"6.1.0"},{"fixed":"6.1.2"},{"introduced":"6.2.0"},{"fixed":"6.2.1"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/wordpress/BIT-wordpress-2023-2745.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}],"schema_version":"1.7.5"}