Sign in Subscribe

← All advisories

Medium severity5.4NVD Advisory· Published May 17, 2023· Updated Apr 8, 2026

CVE-2023-2745

CVE-2023-2745

Description

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.

Affected products

2

WordPress/WordPress2 versions
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <4.1.38
- cpe:2.3:a:wordpress:wordpress:6.2:*:*:*:*:*:*:*
Package: https://wordpress.org/plugins/wordpress

Patches

21

206b164e27d3

https://github.com/wordpress/wordpressvia osv

85ae754b8902

https://github.com/wordpress/wordpressvia osv

02242f4554cb

https://github.com/wordpress/wordpressvia osv

2e33df0588ff

https://github.com/wordpress/wordpressvia osv

c129defefef8

https://github.com/wordpress/wordpressvia osv

c12fc446e7d2

https://github.com/wordpress/wordpressvia osv

eb5a504bda5f

https://github.com/wordpress/wordpressvia osv

7e6cddf8dd03

https://github.com/wordpress/wordpressvia osv

dde4da7b797c

https://github.com/wordpress/wordpressvia osv

0cac57854d9b

https://github.com/wordpress/wordpressvia osv

e6664bb77aa1

https://github.com/wordpress/wordpressvia osv

95b6583c2bca

https://github.com/wordpress/wordpressvia osv

18a1be2684e0

https://github.com/wordpress/wordpressvia osv

64da002d598d

https://github.com/wordpress/wordpressvia osv

efb471e7258d

https://github.com/wordpress/wordpressvia osv

2876d269e6e7

https://github.com/wordpress/wordpressvia osv

61abfb66115c

https://github.com/wordpress/wordpressvia osv

61d5032484dd

https://github.com/wordpress/wordpressvia osv

21e34a51aa55

https://github.com/wordpress/wordpressvia osv

527210254519

https://github.com/wordpress/wordpressvia osv

ece2b5f087bc

https://github.com/wordpress/wordpressvia osv

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

core.trac.wordpress.org/changesetnvdPatch
packetstormsecurity.com/files/172426/WordPress-Core-6.2-XSS-CSRF-Directory-Traversal.htmlnvdThird Party AdvisoryVDB Entry
www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358fnvdThird Party Advisory
wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/nvdRelease Notes
lists.debian.org/debian-lts-announce/2023/06/msg00024.htmlnvd
www.exploit-db.com/exploits/52274nvd
www.wordfence.com/blog/2023/05/wordpress-core-6-2-1-security-maintenance-release-what-you-need-to-know/nvd

News mentions

0

No linked articles in our index yet.