CVE-2021-24721

Name of the Vulnerable Software and Affected Versions Loco Translate WordPress plugin versions prior to 2.5.4

Description The issue concerns the mishandling of data inputs that get saved to a file, which can be renamed to have a .php extension. This allows authenticated "translator" users to inject PHP code into files ending with .php in web-accessible locations.

Recommendations For versions prior to 2.5.4, update to version 2.5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to file renaming functionality for translator users until the update is applied.