CVE-2026-1921
Description
The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the fsReference AJAX route. This is due to the findSourceFile() method normalizing user-supplied ref paths containing ../ directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom loco_admin capability required, granted to the translator role and administrators by default), to read arbitrary .php, .js, .json, and .twig files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded.
Affected products
1- Range: <=2.8.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.phpnvd
- plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.phpnvd
- plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.phpnvd
- plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.phpnvd
- plugins.trac.wordpress.org/changeset/3482475/loco-translate/trunk/tpl/admin/config/version.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/f9ff3058-a08c-40ed-b756-81e703b2277anvd
News mentions
2- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026)Wordfence Blog · Apr 9, 2026