CVE-2023-2745 Overview
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this vulnerability could also be leveraged to perform a Cross-Site Scripting (XSS) attack.
Critical Impact
Unauthenticated attackers can exploit directory traversal to load arbitrary translation files, potentially escalating to XSS attacks when combined with file upload capabilities.
Affected Products
- WordPress Core versions up to and including 6.2
- WordPress Core versions prior to 4.1.38
- WordPress Core versions 4.2.x through 6.2.x (various branches)
Discovery Timeline
- 2023-05-17 - CVE-2023-2745 published to NVD
- 2023-05-16 - WordPress releases security patch in version 6.2.1
- 2025-04-24 - Last updated in NVD database
Technical Details for CVE-2023-2745
Vulnerability Analysis
This directory traversal vulnerability exists in WordPress Core's handling of the wp_lang parameter used for loading translation files. The vulnerability allows unauthenticated attackers to manipulate the language parameter to traverse outside the intended directory structure and load arbitrary .mo (Machine Object) translation files from locations not intended to be accessible.
The attack surface becomes significantly more dangerous when combined with file upload functionality. If an attacker can upload a maliciously crafted translation file to the server (through legitimate upload forms, compromised plugins, or other means), they can then use this directory traversal to load that file, resulting in Cross-Site Scripting execution in the context of authenticated users.
Root Cause
The root cause is insufficient input validation and sanitization of the wp_lang parameter before it is used to construct file paths for loading translation files. WordPress failed to properly validate that the requested translation file path remained within the expected language directory, allowing path traversal sequences to escape the intended directory boundary.
Attack Vector
The attack is network-accessible and requires no authentication or special privileges. An attacker exploits this vulnerability by manipulating the wp_lang parameter in HTTP requests to include directory traversal sequences (such as ../). This allows the attacker to specify paths outside the normal translation file directory.
When a vulnerable WordPress installation processes this malicious request, it attempts to load the translation file from the attacker-specified path. If the attacker has previously uploaded a malicious translation file containing XSS payloads, loading this file can result in script execution in victim browsers. The attack requires user interaction (visiting the malicious page) for the XSS component to execute.
Detection Methods for CVE-2023-2745
Indicators of Compromise
- Unusual HTTP requests containing wp_lang parameter with path traversal sequences like ../ or ..%2F
- Access logs showing requests to WordPress pages with abnormal wp_lang values
- Presence of unexpected .mo or .po files in non-standard directories
- Evidence of unauthorized file uploads, particularly translation files in unusual locations
Detection Strategies
- Monitor web server access logs for requests containing wp_lang parameter with directory traversal patterns
- Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts in the wp_lang parameter
- Review file system for recently created or modified translation files outside the standard wp-content/languages directory
- Deploy endpoint detection to identify potential XSS execution following directory traversal exploitation
Monitoring Recommendations
- Enable detailed logging for all requests to WordPress installations
- Configure alerts for suspicious patterns in the wp_lang parameter across your WordPress fleet
- Monitor for anomalous file creation events in WordPress directories
- Implement content security policies (CSP) to help mitigate the impact of any successful XSS attacks
How to Mitigate CVE-2023-2745
Immediate Actions Required
- Update WordPress Core to version 6.2.1 or later immediately
- Review server logs for any evidence of exploitation attempts
- Audit uploaded files for suspicious translation files that may have been planted for exploitation
- Implement WAF rules to block directory traversal attempts in the wp_lang parameter
Patch Information
WordPress addressed this vulnerability in the WordPress 6.2.1 Maintenance and Security Release published in May 2023. The fix implements proper input validation and path canonicalization to prevent directory traversal via the wp_lang parameter. Technical details of the changes can be reviewed in the WordPress Trac Changeset.
For systems running Debian-based distributions, refer to the Debian LTS Announcement for package-specific updates.
Workarounds
- If immediate patching is not possible, implement WAF rules to block requests containing path traversal sequences in the wp_lang parameter
- Restrict file upload capabilities to trusted users only and audit upload forms for proper validation
- Consider temporarily disabling translation file loading functionality if not required for your WordPress deployment
- Use a security plugin such as Wordfence to add additional protection layers while awaiting patch deployment
# Example WAF rule pattern for Apache mod_security
SecRule ARGS:wp_lang "@contains ../" "id:1001,phase:1,deny,status:403,msg:'Directory traversal attempt in wp_lang parameter'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
