WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
2023-05-17T09:15:10.303
2025-04-24T19:15:45.160
Modified
CVSSv3.1: 5.4 (MEDIUM)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | wordpress | wordpress | < 4.1.38 | Yes |
| Application | wordpress | wordpress | < 4.2.35 | Yes |
| Application | wordpress | wordpress | < 4.3.31 | Yes |
| Application | wordpress | wordpress | < 4.4.30 | Yes |
| Application | wordpress | wordpress | < 4.5.29 | Yes |
| Application | wordpress | wordpress | < 4.6.26 | Yes |
| Application | wordpress | wordpress | < 4.7.26 | Yes |
| Application | wordpress | wordpress | < 4.8.22 | Yes |
| Application | wordpress | wordpress | < 4.9.23 | Yes |
| Application | wordpress | wordpress | < 5.0.19 | Yes |
| Application | wordpress | wordpress | < 5.1.16 | Yes |
| Application | wordpress | wordpress | < 5.2.18 | Yes |
| Application | wordpress | wordpress | < 5.3.15 | Yes |
| Application | wordpress | wordpress | < 5.4.13 | Yes |
| Application | wordpress | wordpress | < 5.5.12 | Yes |
| Application | wordpress | wordpress | < 5.6.11 | Yes |
| Application | wordpress | wordpress | < 5.7.9 | Yes |
| Application | wordpress | wordpress | < 5.8.7 | Yes |
| Application | wordpress | wordpress | < 5.9.6 | Yes |
| Application | wordpress | wordpress | < 6.0.4 | Yes |
| Application | wordpress | wordpress | < 6.1.2 | Yes |
| Application | wordpress | wordpress | 6.2 | Yes |