Unrated severityNVD Advisory· Published Nov 8, 2021· Updated Aug 3, 2024

Loco Translate < 2.5.4 - Authenticated PHP Code Injection

CVE-2021-24721

Description

The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations.

Affected products

WordPress/Loco Translatev5
Range: 2.5.4
Package: https://wordpress.org/plugins/loco-translate

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpscan.com/vulnerability/bc7d4774-fce8-4b0b-8015-8ef4c5b02d38mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000