CVE-2026-4146

Name of the Vulnerable Software and Affected Versions Loco Translate versions up to and including 2.8.2

Description The Loco Translate plugin for WordPress is susceptible to Reflected Cross-Site Scripting through the update href parameter due to inadequate input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages, potentially leading to execution if a user is tricked into performing an action like clicking a malicious link. The vulnerable parameter is update href.

Recommendations Update Loco Translate to a version later than 2.8.2.