WordPress · Loco Translate · CVE-2021-24721
**Name of the Vulnerable Software and Affected Versions**
Loco Translate WordPress plugin versions prior to 2.5.4
**Description**
The issue concerns the mishandling of data inputs that get saved to a file, which can be renamed to have a .php extension. This allows authenticated "translator" users to inject PHP code into files ending with .php in web-accessible locations.
**Recommendations**
For versions prior to 2.5.4, update to version 2.5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to file renaming functionality for translator users until the update is applied.