Vulnerability Report

CVE-2023-2745

Title: WordPress Core Directory Traversal

Arbitrary File Access

Proof Of Concept

PoC Available for CVE-2023-2745

CWE Category CWE-22

Published Date May 17, 2023

Modified Date Apr 08, 2026

Exploit Status Available

Score 5.4 CVSS v3.1

Exploit Probability (EPSS)

79.28%

Vulnerability Summary

CVE-2023-2745: WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.

Impacted Vendors

wordpress 1

Reference Links

http://packetstormsecurity.com/files/172426/WordPress-Core-6.2-XSS-CSRF-Directory-Traversal.html https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail= https://lists.debian.org/debian-lts-announce/2023/06/msg00024.html https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/ https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve http://packetstormsecurity.com/files/172426/WordPress-Core-6.2-XSS-CSRF-Directory-Traversal.html https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail= https://lists.debian.org/debian-lts-announce/2023/06/msg00024.html https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/ https://www.exploit-db.com/exploits/52274 https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

5.4

Attack Vector

NETWORK

Complexity

HIGH

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

6.1

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2023-2745 Exploits & PoCs (Proof Of Concept)

Exploit-DB https://www.exploit-db.com/exploits/52274

View Code

April 08, 2026 MODIFIED

Vulnerability data updated via NVD.

April 24, 2025 MODIFIED

Vulnerability data or affected products updated.

May 17, 2023 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity HIGH

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Affected Stack

No specific products linked.