CVE-2023-2745

MEDIUM EXPLOITED NUCLEI

WordPress < 6.2 - Unauthenticated Directory Traversal via wp_lang Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-2745 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Milad karimi, fofovicfof-ai. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a directory traversal vulnerability in WordPress Core 6.2 by manipulating the 'wp_lang' parameter to access arbitrary files, such as '/etc/passwd'. It sends a crafted HTTP request and checks the response for successful file access.

Description

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.

Exploits (2)

exploitdb WORKING POC
by Milad karimi · pythonwebappsphp
https://www.exploit-db.com/exploits/52274

This exploit leverages a directory traversal vulnerability in WordPress Core 6.2 by manipulating the 'wp_lang' parameter to access arbitrary files, such as '/etc/passwd'. It sends a crafted HTTP request and checks the response for successful file access.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WordPress Core 6.2
No auth needed
Prerequisites: Target WordPress instance running version 6.2 or earlier · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by fofovicfof-ai · infoleak
https://github.com/fofovicfof-ai/cve-2023-2745

This repository contains a Python script that checks for the presence of CVE-2023-2745, a directory traversal vulnerability in WordPress versions ≤ 6.2. The script attempts to exploit the vulnerability by probing for /etc/passwd via the wp_lang parameter but does not execute arbitrary code.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WordPress ≤ 6.2
No auth needed
Prerequisites: Target must be running a vulnerable version of WordPress (≤ 6.2) · The /etc/passwd file must be accessible via the traversal path
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

WordPress Core <=6.2 - Directory Traversal
MEDIUMby nqdung2002

References (7)

Core 7

Scores

CVSS v3 5.4
EPSS 0.7953
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2026-05-04
CWE
CWE-22
Status published
Products (24)
wordpress/wordpress 6.2
wordpress/wordpress < 4.1.38
WordPress Foundation/WordPress < 4.1.38
WordPress Foundation/WordPress 4.2 - 4.2.35
WordPress Foundation/WordPress 4.3 - 4.3.31
WordPress Foundation/WordPress 4.4 - 4.4.30
WordPress Foundation/WordPress 4.5 - 4.5.29
WordPress Foundation/WordPress 4.6 - 4.6.26
WordPress Foundation/WordPress 4.7 - 4.7.26
WordPress Foundation/WordPress 4.8 - 4.8.22
... and 14 more
Published May 17, 2023
Tracked Since Feb 18, 2026