PT-2023-21137 · WordPress · Wordpress

Matt Rusnak

Published

2023-05-17

Updated

2024-05-08

CVE-2023-2745

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions WordPress Core versions up to, and including, 6.2

Description The issue allows unauthenticated attackers to access and load arbitrary translation files via the wp lang parameter, potentially leading to a Cross-Site Scripting attack if a crafted translation file is uploaded to the site.

Recommendations For WordPress Core versions up to, and including, 6.2, consider restricting access to the wp lang parameter to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using upload forms that could allow attackers to upload crafted translation files.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

BIT-WORDPRESS-2023-2745

BIT-WORDPRESS-MULTISITE-2023-2745

CVE-2023-2745

DLA-3462-1

DSA-5685-1

Affected Products

Wordpress

PT-2023-21137 · WordPress · Wordpress

CVE-2023-2745

Weakness Enumeration

Related Identifiers

Affected Products

References · 22