PT-2026-60434 · WordPress · Loco Translate
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Loco Translate versions prior to 2.8.6
Description
The plugin is subject to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs due to missing or incorrect nonce validation in the
execTemplate() function. An unauthenticated attacker can execute arbitrary PHP code on the server by providing a php://filter stream wrapper URI through the template parameter. This method bypasses path validation and is passed directly to the include sink within the execTemplate() function via a forged request, provided a site administrator is tricked into clicking a malicious link.Recommendations
Update the plugin to version 2.8.6 or later.
As a temporary mitigation, restrict access to the
execTemplate() function.Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Loco Translate