CVE-2023-2745
Published: 17 May 2023
Summary
CVE-2023-2745 is a medium-severity Path Traversal (CWE-22) vulnerability in Wordpress Wordpress. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
WordPress Core versions up to and including 6.2 are affected by a directory traversal vulnerability tracked as CVE-2023-2745 and assigned CWE-22. The flaw resides in handling of the wp_lang parameter and enables unauthenticated attackers to access and load arbitrary translation files. When an attacker can also place a crafted translation file on the target site, the same vector can be leveraged for cross-site scripting. The issue received a CVSS 3.1 score of 5.4.
An unauthenticated remote attacker can supply a malicious wp_lang value to traverse directories and retrieve translation files outside the intended scope. If the attacker additionally possesses or obtains an upload capability on the site, the loaded file can contain script payloads that execute in the context of other users, achieving reflected or stored XSS.
Official advisories and the WordPress 6.2.1 maintenance release note that the vulnerability is resolved by the changeset that updates language-file handling and recommend immediate upgrade to version 6.2.1 or later. The referenced Wordfence and Packet Storm entries further detail the patch and provide indicators for detection.
The associated EPSS score reached a peak of 0.7977 with a current value of 0.7928, reflecting sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34206
Vulnerability details
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted…
more
translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.