cleantalk
Vulnerabilities and Security Researches

Loco Translate, CVE-2026-1921

CVE, Research URL

CVE-2026-1921

Home page URL

Security reports for Loco Translate

Application

Loco Translate

Published on
May 05, 2026
Research Description
The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded.
Affected versions
max 2.8.3.
Status
vulnerable
Previous vulnerability researches
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2026-5063) , May 06, 2026
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2025-10185) , Nov 10, 2025
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2025-4208) , May 09, 2025
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2025-3468) , May 09, 2025
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2020-36670) , Jun 10, 2024
New vulnerability
Royal Elementor Addons and Templates (CVE-2026-4803) , May 06, 2026
Royal Elementor Addons and Templates (CVE-2026-5159) , May 06, 2026
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2026-5063) , May 06, 2026
Loco Translate (CVE-2026-1921) , May 06, 2026
Conditional Fields for Contact Form 7 (CVE-2026-25863) , May 06, 2026