CVE-2023-2745
⚪ Do wiadomości
Podatność w WordPress Core umożliwia atakującym dostęp do plików tłumaczeń.
CVSS
5.4
EPSS
79.5%
Exploit
none
Vendor
wordpress
Opis źródłowy (NVD)
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
path-traversal xss
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 5.4 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 79.5% |
| Opublikowano (NVD) | 2023-05-17 09:15:10 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 19:18:19 UTC |
Referencje
- https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail= (security@wordfence.com) [Patch]
- https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/ (security@wordfence.com) [Release Notes]
- https://www.wordfence.com/blog/2023/05/wordpress-core-6-2-1-security-maintenance-release-what-you-need-to-know/ (security@wordfence.com)
- https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve (security@wordfence.com) [Third Party Advisory]
- http://packetstormsecurity.com/files/172426/WordPress-Core-6.2-XSS-CSRF-Directory-Traversal.html (af854a3a-2127-422b-91ae-364da2661108) [Third Party Advisory, VDB Entry]
- https://lists.debian.org/debian-lts-announce/2023/06/msg00024.html (af854a3a-2127-422b-91ae-364da2661108)
- https://www.exploit-db.com/exploits/52274 (af854a3a-2127-422b-91ae-364da2661108)