PT-2026-60434 · WordPress · Loco Translate

·

CVE-2026-15005

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Loco Translate versions prior to 2.8.6
Description The plugin is subject to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs due to missing or incorrect nonce validation in the execTemplate() function. An unauthenticated attacker can execute arbitrary PHP code on the server by providing a php://filter stream wrapper URI through the template parameter. This method bypasses path validation and is passed directly to the include sink within the execTemplate() function via a forged request, provided a site administrator is tricked into clicking a malicious link.
Recommendations Update the plugin to version 2.8.6 or later. As a temporary mitigation, restrict access to the execTemplate() function.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15005

Affected Products

Loco Translate