CVE-2026-1921

The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the fsReference AJAX route. This is due to the findSourceFile() method normalizing user-supplied ref paths containing ../ directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom loco admin capability required, granted to the translator role and administrators by default), to read arbitrary .php, .js, .json, and .twig files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded.