{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-2745", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-05-16T19:53:02.398Z", "datePublished": "2023-05-17T08:36:44.034Z", "dateUpdated": "2026-04-08T17:31:40.202Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:40.202Z"}, "affected": [{"vendor": "WordPress Foundation", "product": "WordPress", "versions": [{"version": "0", "status": "affected", "lessThan": "4.1.38", "versionType": "semver"}, {"version": "4.2", "status": "affected", "lessThan": "4.2.35", "versionType": "semver"}, {"version": "4.3", "status": "affected", "lessThan": "4.3.31", "versionType": "semver"}, {"version": "4.4", "status": "affected", "lessThan": "4.4.30", "versionType": "semver"}, {"version": "4.5", "status": "affected", "lessThan": "4.5.29", "versionType": "semver"}, {"version": "4.6", "status": "affected", "lessThan": "4.6.26", "versionType": "semver"}, {"version": "4.7", "status": "affected", "lessThan": "4.7.26", "versionType": "semver"}, {"version": "4.8", "status": "affected", "lessThan": "4.8.22", "versionType": "semver"}, {"version": "4.9", "status": "affected", "lessThan": "4.9.23", "versionType": "semver"}, {"version": "5.0", "status": "affected", "lessThan": "5.0.19", "versionType": "semver"}, {"version": "5.1", "status": "affected", "lessThan": "5.1.16", "versionType": "semver"}, {"version": "5.2", "status": "affected", "lessThan": "5.2.18", "versionType": "semver"}, {"version": "5.3", "status": "affected", "lessThan": "5.3.15", "versionType": "semver"}, {"version": "5.4", "status": "affected", "lessThan": "5.4.13", "versionType": "semver"}, {"version": "5.5", "status": "affected", "lessThan": "5.5.12", "versionType": "semver"}, {"version": "5.6", "status": "affected", "lessThan": "5.6.11", "versionType": "semver"}, {"version": "5.7", "status": "affected", "lessThan": "5.7.9", "versionType": "semver"}, {"version": "5.8", "status": "affected", "lessThan": "5.8.7", "versionType": "semver"}, {"version": "5.9", "status": "affected", "lessThan": "5.9.6", "versionType": "semver"}, {"version": "6.0", "status": "affected", "lessThan": "6.0.4", "versionType": "semver"}, {"version": "6.1", "status": "affected", "lessThan": "6.1.2", "versionType": "semver"}, {"version": "6.2", "status": "affected", "lessThan": "6.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the \u2018wp_lang\u2019 parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack."}], "title": "WordPress Core < 6.2.1 - Directory Traversal", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve"}, {"url": "https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/"}, {"url": "https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail="}, {"url": "https://www.wordfence.com/blog/2023/05/wordpress-core-6-2-1-security-maintenance-release-what-you-need-to-know/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ramuel Gall"}, {"lang": "en", "type": "finder", "value": "Matt Rusnak"}], "timeline": [{"time": "2023-05-16T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-24T18:22:33.536Z"}, "references": [{"url": "https://www.exploit-db.com/exploits/52274"}, {"tags": ["x_transferred"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve"}, {"tags": ["x_transferred"], "url": "https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/"}, {"tags": ["x_transferred"], "url": "https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail="}, {"tags": ["x_transferred"], "url": "http://packetstormsecurity.com/files/172426/WordPress-Core-6.2-XSS-CSRF-Directory-Traversal.html"}, {"tags": ["x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00024.html"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-13T16:22:24.483760Z", "id": "CVE-2023-2745", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-13T16:49:16.213Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.exploit-db.com/exploits/52274"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve", "tags": ["x_transferred"]}, {"url": "https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/", "tags": ["x_transferred"]}, {"url": "https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/172426/WordPress-Core-6.2-XSS-CSRF-Directory-Traversal.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00024.html", "tags": ["x_transferred"]}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-24T18:22:33.536Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-2745", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-13T16:22:24.483760Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-13T16:22:25.865Z"}}], "cna": {"title": "WordPress Core < 6.2.1 - Directory Traversal", "credits": [{"lang": "en", "type": "finder", "value": "Ramuel Gall"}, {"lang": "en", "type": "finder", "value": "Matt Rusnak"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "WordPress Foundation", "product": "WordPress", "versions": [{"status": "affected", "version": "0", "lessThan": "4.1.38", "versionType": "semver"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.35", "versionType": "semver"}, {"status": "affected", "version": "4.3", "lessThan": "4.3.31", "versionType": "semver"}, {"status": "affected", "version": "4.4", "lessThan": "4.4.30", "versionType": "semver"}, {"status": "affected", "version": "4.5", "lessThan": "4.5.29", "versionType": "semver"}, {"status": "affected", "version": "4.6", "lessThan": "4.6.26", "versionType": "semver"}, {"status": "affected", "version": "4.7", "lessThan": "4.7.26", "versionType": "semver"}, {"status": "affected", "version": "4.8", "lessThan": "4.8.22", "versionType": "semver"}, {"status": "affected", "version": "4.9", "lessThan": "4.9.23", "versionType": "semver"}, {"status": "affected", "version": "5.0", "lessThan": "5.0.19", "versionType": "semver"}, {"status": "affected", "version": "5.1", "lessThan": "5.1.16", "versionType": "semver"}, {"status": "affected", "version": "5.2", "lessThan": "5.2.18", "versionType": "semver"}, {"status": "affected", "version": "5.3", "lessThan": "5.3.15", "versionType": "semver"}, {"status": "affected", "version": "5.4", "lessThan": "5.4.13", "versionType": "semver"}, {"status": "affected", "version": "5.5", "lessThan": "5.5.12", "versionType": "semver"}, {"status": "affected", "version": "5.6", "lessThan": "5.6.11", "versionType": "semver"}, {"status": "affected", "version": "5.7", "lessThan": "5.7.9", "versionType": "semver"}, {"status": "affected", "version": "5.8", "lessThan": "5.8.7", "versionType": "semver"}, {"status": "affected", "version": "5.9", "lessThan": "5.9.6", "versionType": "semver"}, {"status": "affected", "version": "6.0", "lessThan": "6.0.4", "versionType": "semver"}, {"status": "affected", "version": "6.1", "lessThan": "6.1.2", "versionType": "semver"}, {"status": "affected", "version": "6.2", "lessThan": "6.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-05-16T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve"}, {"url": "https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/"}, {"url": "https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail="}, {"url": "https://www.wordfence.com/blog/2023/05/wordpress-core-6-2-1-security-maintenance-release-what-you-need-to-know/"}], "descriptions": [{"lang": "en", "value": "WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the \u2018wp_lang\u2019 parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:40.202Z"}}}, "cveMetadata": {"cveId": "CVE-2023-2745", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:40.202Z", "dateReserved": "2023-05-16T19:53:02.398Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2023-05-17T08:36:44.034Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "72FEE686-296A-4EEF-8EC7-70F19B2ECC8D", "versionEndExcluding": "4.1.38", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE814729-9FD8-41E7-8AA5-F123A79833B9", "versionEndExcluding": "4.2.35", "versionStartIncluding": "4.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "99259AB0-B175-402A-A186-C266EE088033", "versionEndExcluding": "4.3.31", "versionStartIncluding": "4.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "19A06A3E-A938-49B7-914A-F970198B583A", "versionEndExcluding": "4.4.30", "versionStartIncluding": "4.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CA38BB9-8B35-478E-9E39-319DF67C35CD", "versionEndExcluding": "4.5.29", "versionStartIncluding": "4.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "CCA4F837-593D-4AFD-9D1B-EF610FEC5FF8", "versionEndExcluding": "4.6.26", "versionStartIncluding": "4.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A4ADD5E-F7DF-4407-88F9-EA01E6F06527", "versionEndExcluding": "4.7.26", "versionStartIncluding": "4.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B5A5147-A542-4F16-9EBD-2038CAF052E5", "versionEndExcluding": "4.8.22", "versionStartIncluding": "4.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "79324121-3888-4546-B9C2-24086AED5DC0", "versionEndExcluding": "4.9.23", "versionStartIncluding": "4.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0EE2796-CF56-4ECA-B789-43A1F84D0584", "versionEndExcluding": "5.0.19", "versionStartIncluding": "5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "6518C0C4-8879-4E08-87A1-670AC86286B1", "versionEndExcluding": "5.1.16", "versionStartIncluding": "5.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0217196-8093-4802-887B-CB32D0269913", "versionEndExcluding": "5.2.18", "versionStartIncluding": "5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A76E2C9-E081-46B3-9089-98C5EE1CBE88", "versionEndExcluding": "5.3.15", "versionStartIncluding": "5.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "8290086D-12BE-46E5-97E3-8616609C73A6", "versionEndExcluding": "5.4.13", "versionStartIncluding": "5.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "64A76DFC-7B9A-420F-B893-BCC2E82E0804", "versionEndExcluding": "5.5.12", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2D5BDD5-1808-4C63-8114-352A8D46E3B2", "versionEndExcluding": "5.6.11", "versionStartIncluding": "5.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "69562325-CEA6-478E-9938-FA173578F280", "versionEndExcluding": "5.7.9", "versionStartIncluding": "5.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "62FEB36C-296F-40FB-B061-05104C1355F9", "versionEndExcluding": "5.8.7", "versionStartIncluding": "5.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C9F371A-3573-4253-95B1-235B50414A69", "versionEndExcluding": "5.9.6", "versionStartIncluding": "5.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "80D8EF2C-5074-4655-A093-7B2715584219", "versionEndExcluding": "6.0.4", "versionStartIncluding": "6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "77A2C30C-AFD4-4EE9-B7C8-7380A79BDE8B", "versionEndExcluding": "6.1.2", "versionStartIncluding": "6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:6.2:*:*:*:*:*:*:*", "matchCriteriaId": "FE62E493-0231-4BBE-BC6B-8A9F153C6B04", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the \u2018wp_lang\u2019 parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack."}], "id": "CVE-2023-2745", "lastModified": "2026-04-08T19:18:19.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2023-05-17T09:15:10.303", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Release Notes"], "url": "https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/blog/2023/05/wordpress-core-6-2-1-security-maintenance-release-what-you-need-to-know/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/172426/WordPress-Core-6.2-XSS-CSRF-Directory-Traversal.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail="}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00024.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.exploit-db.com/exploits/52274"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}