CVE-2026-1921

Name of the Vulnerable Software and Affected Versions Loco Translate versions prior to 2.8.3

Description The Loco Translate plugin for WordPress contains a path traversal flaw. Authenticated attackers with Translator-level access or higher (requiring the loco admin capability) can read arbitrary .php, .js, .json, and .twig files from the server filesystem, excluding wp-config.php. This occurs because the findSourceFile() function fails to validate that the resolved path remains within the intended directory when processing the ref variable via the 'fsReference' AJAX route, allowing the use of ../ sequences to access files outside the translation directory.

Recommendations Update the plugin to a version later than 2.8.2. As a temporary workaround, restrict access to the 'fsReference' AJAX route or limit users with the loco admin capability.