WordPress Plugin Vulnerabilities

Loco Translate < 2.8.3 - Translator+ Path Traversal to Limited File Read via 'ref' Parameter

Description

The plugin is vulnerable to Path Traversal via the `fsReference` AJAX route due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended directory. This makes it possible for authenticated attackers with Translator-level access and above (requires the `loco_admin` capability) to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the translation directory, excluding `wp-config.php`.

Affects Plugins

Plugin icon
loco-translate
Fixed in 2.8.3

References

CVE
CVE-2026-1921
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f9ff3058-a08c-40ed-b756-81e703b2277a

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
shark3y
Verified
No
WPVDB ID
d0fc6ffe-b8cc-4225-a462-79afba42ee07

Timeline

Publicly Published
2026-05-04 (about 10 days ago)
Added
2026-05-04 (about 9 days ago)
Last Updated
2026-05-04 (about 9 days ago)

Other

Published
Title
Published
2023-12-27
Title
JVM rich text icons < 1.2.7 - Subscriber+ Arbitrary File Deletion
Published
2024-01-17
Title
WP Recipe Maker < 9.1.1 - Directory Traversal
Published
2025-06-27
Title
BeeTeam368 Extensions Pro < 2.3.5 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Deletion
Published
2025-07-01
Title
Home Villas | Real Estate WordPress Theme <= 2.8 - Authenticated (Subscriber+) Arbitrary File Deletion
Published
2015-08-02
Title
simple-image-manipulator <= 1.0 - Remote File Download