CVE-2023-2745

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.

Published: May 17, 2023
Updated: Jun 29, 2025
CVE: CVE-2023-2745
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
WordPress / wordpress	6.2	6.2.x
WordPress / wordpress	6.1	6.1.2
WordPress / wordpress	6.0	6.0.4
WordPress / wordpress	5.9	5.9.6
WordPress / wordpress	5.8	5.8.7
WordPress / wordpress	5.6	5.6.11
WordPress / wordpress	5.5	5.5.12
WordPress / wordpress	5.4	5.4.13
WordPress / wordpress	5.3	5.3.15
WordPress / wordpress	5.2	5.2.18
WordPress / wordpress	5.1	5.1.16
WordPress / wordpress	5.0	5.0.19
WordPress / wordpress	4.9	4.9.23
WordPress / wordpress	4.8	4.8.22
WordPress / wordpress	4.7	4.7.26
WordPress / wordpress	4.6	4.6.26
WordPress / wordpress	4.5	4.5.29
WordPress / wordpress	4.4	4.4.30
WordPress / wordpress	4.3	4.3.31
WordPress / wordpress	4.2	4.2.35
WordPress / wordpress	5.7	5.7.9
WordPress / wordpress	-	4.1.38

Vulnerability Database

289,599

CVE-2023-2745