TROYANOSYVIRUS
Zuruck zu CVEs

CVE-2026-1921

MEDIUM
4.9

Beschreibung

The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded.

CVE Details

CVSS v3.1 Bewertung4.9
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienHIGH
BenutzerinteraktionNONE
Veroffentlicht5/5/2026
Zuletzt geandert5/5/2026
Quellenvd
Honeypot-Sichtungen0

Schwachen (CWE)

CWE-22

Referenzen

https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L12(security@wordfence.com)
https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L92(security@wordfence.com)
https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L12(security@wordfence.com)
https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L92(security@wordfence.com)
https://plugins.trac.wordpress.org/changeset/3482475/loco-translate/trunk/tpl/admin/config/version.php(security@wordfence.com)
https://plugins.trac.wordpress.org/changeset?old_path=%2Floco-translate/tags/2.8.2&new_path=%2Floco-translate/tags/2.8.3(security@wordfence.com)
https://www.wordfence.com/threat-intel/vulnerabilities/id/f9ff3058-a08c-40ed-b756-81e703b2277a?source=cve(security@wordfence.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.