{"id":"CVE-2023-2745","details":"WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.","aliases":["BIT-wordpress-2023-2745","BIT-wordpress-multisite-2023-2745"],"modified":"2026-04-10T04:56:41.478595Z","published":"2023-05-17T09:15:10.303Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00024.html"},{"type":"WEB","url":"https://www.exploit-db.com/exploits/52274"},{"type":"ADVISORY","url":"https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/"},{"type":"ADVISORY","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/172426/WordPress-Core-6.2-XSS-CSRF-Directory-Traversal.html"},{"type":"FIX","url":"https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail="}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"0"},{"fixed":"206b164e27d3db60ddf5c0b5562b9f92e4fc6fe6"},{"introduced":"87bf150016e042bc3e21f2f1cb9de44042b8cdb1"},{"fixed":"85ae754b8902916c967ccee1d8040e0fb51cdd8f"},{"introduced":"b57f3aa5f00a127f209eff74b78787dd3fd5ed4d"},{"fixed":"02242f4554cbdaa345b4545eb0adad7179f1663f"},{"introduced":"f6a29831c76d2dbe82e9ae673539f910654c58a4"},{"fixed":"2e33df0588ff16f2f932717eddd35804efb8bc85"},{"introduced":"e3aafee3f2bc07e09bf79389f20ea3db731466c3"},{"fixed":"c129defefef81abe776424ddf459f3b04b7338db"},{"introduced":"fe47e6139dbfc0f0c9ce0d79da77926b5fceaa77"},{"fixed":"c12fc446e7d264326cdd77b62d66f3b7ba99379d"},{"introduced":"14247ee4302378d292863865c643abe99bbfe3c7"},{"fixed":"eb5a504bda5fac38796af50725e7f923bc1ad02e"},{"introduced":"06fa4161aa74619239cf27017d124081c825684a"},{"fixed":"7e6cddf8dd03933e0f0f5b44b6c89bec3843e4c7"},{"introduced":"29ffbff370968ae48a1b7a34e35c8b8e75cf0f91"},{"fixed":"dde4da7b797c6f3184834075f3c472a530fe03dd"},{"introduced":"491c67be12ca8a9fe37ae38307ba7e298c976ec3"},{"fixed":"0cac57854d9be31fae947b1ac07e9a6075974264"},{"introduced":"c33464a4554cff8a082bc353d9226d8104b80d2b"},{"fixed":"e6664bb77aa10b2fde05fe5d9b0631d43656c7b6"},{"introduced":"6fe64752be3260f2a47f38e68c2cb77400e5a0c9"},{"fixed":"95b6583c2bca8bfbbc0067f938057c60b2578b58"},{"introduced":"50dc0ca5bb332c895f0f39fe4e6ee1e4a43e06dc"},{"fixed":"18a1be2684e0cbd8c7ebebecfb9ca29b13d7d607"},{"introduced":"9ff4499281663b0c772787fd4a60538288f842e9"},{"fixed":"64da002d598dda6b682cb595bb317008253695b8"},{"introduced":"537fd931bc02e6e934a2d774422b897871aa87ad"},{"fixed":"efb471e7258d930659983062c5759fcbcab01867"},{"introduced":"965fcddcf68cf4fd122ae24b992e242dfea1d773"},{"fixed":"2876d269e6e74858e82dac0bea7cd86ea5a870ec"},{"introduced":"058f9903676a7efaee534a682df0a2a8b87574d8"},{"fixed":"61abfb66115c809782419ab4d5f491a62e08e345"},{"introduced":"50caeb6e61ad0c49d2c7e1d6d5115047a011f590"},{"fixed":"61d5032484ddbbd548b45f293245b3dc0e791ceb"},{"introduced":"73157386d069425c5e6ea7c4fc0122e8a9b58a7b"},{"fixed":"21e34a51aa55a33ca92a24442744ba8c42bc1c48"},{"introduced":"cc101b64012b16d087780657a2b828ccd7794a63"},{"fixed":"527210254519f3f5792ac4a2297d57b981cbfd32"},{"introduced":"6c5d5b5dcb9712bfc400b09cb6627e42898527af"},{"fixed":"ece2b5f087bc93a3ee4047589652d8e4756f8f15"},{"introduced":"0"},{"last_affected":"17e2eff4aa3beb2802cbec12b6f08e2fbf69893d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.1.38"},{"introduced":"4.2"},{"fixed":"4.2.35"},{"introduced":"4.3"},{"fixed":"4.3.31"},{"introduced":"4.4"},{"fixed":"4.4.30"},{"introduced":"4.5"},{"fixed":"4.5.29"},{"introduced":"4.6"},{"fixed":"4.6.26"},{"introduced":"4.7"},{"fixed":"4.7.26"},{"introduced":"4.8"},{"fixed":"4.8.22"},{"introduced":"4.9"},{"fixed":"4.9.23"},{"introduced":"5.0"},{"fixed":"5.0.19"},{"introduced":"5.1"},{"fixed":"5.1.16"},{"introduced":"5.2"},{"fixed":"5.2.18"},{"introduced":"5.3"},{"fixed":"5.3.15"},{"introduced":"5.4"},{"fixed":"5.4.13"},{"introduced":"5.5"},{"fixed":"5.5.12"},{"introduced":"5.6"},{"fixed":"5.6.11"},{"introduced":"5.7"},{"fixed":"5.7.9"},{"introduced":"5.8"},{"fixed":"5.8.7"},{"introduced":"5.9"},{"fixed":"5.9.6"},{"introduced":"6.0"},{"fixed":"6.0.4"},{"introduced":"6.1"},{"fixed":"6.1.2"},{"introduced":"0"},{"last_affected":"6.2"}]}}],"versions":["4.9.8","6.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-2745.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"}]}