We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Loco Translate Plugin Vulnerability (CVE-2026-1921)

Nick Paliughi
On this page

Security Alert Summary

The Loco Translate plugin for WordPress contains a path traversal vulnerability (CVE-2026-1921) that can allow authenticated users with Translator-level access or higher to read files outside the intended translation directory via the plugin’s AJAX fsReference route. The issue stems from insufficient validation after normalizing user-supplied paths containing “../” sequences.

CVE Details

  • CVE ID: CVE-2026-1921
  • Affected component: Loco Translate plugin for WordPress
  • Affected versions: All versions up to, and including, 2.8.2
  • Published: May 5, 2026 at 3:15:59 AM
  • Last modified: May 5, 2026 at 3:15:59 AM
  • CVSS v3.1: Base Score 4.9, Medium — Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
  • Authentication / privileges / user interaction: Authenticated attacker with Translator-level access or higher (custom loco_admin capability). Privileges required: High. User interaction: None.
  • Primary impact: Confidentiality: High; Integrity: None; Availability: None
  • Weakness (CWE): CWE-22 (Path Traversal)

Technical Details

The vulnerability is a path traversal flaw reachable via the plugin’s AJAX fsReference route. The plugin uses a findSourceFile() method that normalizes user-supplied ref paths containing “../” directory traversal sequences but does not validate that the resolved path remains within the intended bundle or content directory. As a result, an authenticated user with the required capability can request files outside the translation directory.

Successful exploitation allows reading of arbitrary files with extensions such as .php, .js, .json, and .twig from the server filesystem. The vendor notes that files named wp-config.php are excluded from reads via this route.

How This Could Impact Your Website

Consider a site where the site owner grants a translator role to an internal staff member or an external contractor to manage translations. An attacker who obtains or already has Translator-level access could use this vulnerability to read files outside the translation directories. This could expose application files, plugin or theme source files, or JSON and Twig templates that may contain sensitive data or configuration details.

Realistic consequences include exposure of internal user information (for example, email addresses stored in readable files) and increased risk of targeted phishing or social engineering aimed at staff or contractors based on disclosed data. The vulnerability affects confidentiality primarily; it does not directly allow code modification or denial of service according to the provided CVSS data.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially Translator and other high-privilege roles.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and logs for unusual file access or AJAX requests that target translation endpoints.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Easy PayPal Events & Tickets Plugin Vulnerability (CVE-2026-32834)
Next Post
Zingaya Click-to-Call Plugin Vulnerability (CVE-2026-6696)