WordPress Plugin Vulnerabilities

Loco Translate < 2.8.3 - Reflected XSS via 'update_href' Parameter

Description

The plugin is vulnerable to Reflected Cross-Site Scripting via the ‘update_href’ parameter due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
loco-translate
Fixed in 2.8.3

References

CVE
CVE-2026-4146
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/faa6c744-7586-47ee-b2ce-af972ee8b4f7

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Jack Pas (Dark.)
Verified
No
WPVDB ID
576e3999-47f8-48c5-ad1f-d3b53d025d51

Timeline

Publicly Published
2026-03-30 (about 1 month ago)
Added
2026-03-30 (about 1 month ago)
Last Updated
2026-05-11 (about 2 days ago)

Other

Published
Title
Published
2025-02-03
Title
Job Board Manager <= 2.1.60 - Reflected Cross-Site Scripting
Published
2024-07-11
Title
Link Library < 7.7.2 - Reflected Cross-Site Scripting
Published
2024-10-14
Title
My Favorites < 1.4.3 - Contributor+ Stored XSS
Published
2021-09-20
Title
StreamCast < 2.1.1 - Contributor+ Stored Cross-Site Scripting
Published
2025-01-16
Title
SC Simple Zazzle <= 1.1.6 - Reflected Cross-Site Scripting