CVE-2026-1921
Deferred Deferred - Pending Action
Path Traversal in Loco Translate WordPress Plugin

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1921
EUVD
EUVD-2026-27169
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
localization\_labs loco\_translate to 2.8.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Loco Translate plugin for WordPress has a Path Traversal vulnerability in all versions up to and including 2.8.2. This occurs via the `fsReference` AJAX route because the `findSourceFile()` method normalizes user-supplied paths containing directory traversal sequences like `../` without properly validating that the resolved path stays within the intended directory. As a result, authenticated users with Translator-level access or higher can read arbitrary files such as `.php`, `.js`, `.json`, and `.twig` from the server filesystem outside the translation directory, except for files named wp-config.php.

Compliance Impact

The vulnerability allows authenticated users with Translator-level access or higher to read arbitrary files on the server outside the intended translation directory, potentially exposing sensitive information.

Such unauthorized access to sensitive files could lead to violations of data protection regulations like GDPR or HIPAA if personal or protected health information is exposed.

However, files named wp-config.php are excluded from access, which may limit exposure of some critical configuration data.

Overall, this vulnerability could negatively impact compliance with standards requiring strict access controls and protection of sensitive data.

Impact Analysis

This vulnerability allows attackers with certain authenticated roles to read sensitive files on the server that they should not have access to. This can lead to exposure of sensitive information contained in those files, potentially aiding further attacks or information leakage. However, the vulnerability does not allow modification or deletion of files, only reading them.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1921. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart