Vulnerabilities and security researches forloco-translate loco-translate

Jun 06, 2024

CVE, Research URL: CVE-2022-0765
Home page URL: Security reports for Loco Translate
Application: Loco Translate
Date: Apr 18, 2022
Research Description: The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.
Affected versions: max 2.6.1.
Status: vulnerable

CVE, Research URL: CVE-2021-24721
Home page URL: Security reports for Loco Translate
Application: Loco Translate
Date: Nov 08, 2021
Research Description: The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations.
Affected versions: max 2.5.4.
Status: vulnerable

Jun 24, 2024

CVE, Research URL: CVE-2024-37236
Home page URL: Security reports for Loco Translate
Application: Loco Translate
Date: Jan 02, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Tim Whitlock Loco Translate allows Cross Site Request Forgery.This issue affects Loco Translate: from n/a through 2.6.9.
Affected versions: max 2.6.10.
Status: vulnerable

Dec 20, 2024

PSC, Research URL: PSC-2024-64537
Home page URL: Security reports for Loco Translate
Application: Loco Translate
Date: Apr 08, 2025
Research Description: Loco Translate is a powerful tool designed for seamless translation management directly within your WordPress dashboard. With over 1 million downloads, this plugin has established itself as a reliable choice for developers and website owners seeking an efficient way to manage translations while maintaining top-notch security. By combining advanced features with rigorous security protocols, Loco Translate has earned the prestigious Plugin Security Certification (PSC-2024-64537) from CleanTalk, ensuring a secure and trustworthy solution for all its users.
Affected versions: Min 2.8.3, max 2.8.3.
Status: SAFE & CERTIFIED

Apr 14, 2026

CVE, Research URL: CVE-2026-4146
Home page URL: Security reports for Loco Translate
Application: Loco Translate
Date: Mar 31, 2026
Research Description: The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_href’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 2.8.3.
Status: vulnerable

May 06, 2026

CVE, Research URL: CVE-2026-1921
Home page URL: Security reports for Loco Translate
Application: Loco Translate
Date: May 05, 2026
Research Description: The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded.
Affected versions: max 2.8.3.
Status: vulnerable