Description
The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/bc7d4774-fce8-4b0b-8015-8ef4c5b02d38
Scores
CVSS v3
6.5
EPSS
0.0091
EPSS Percentile
55.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-94
Status
published
Products (1)
loco_translate_project/loco_translate
< 2.5.4
Published
Nov 08, 2021
Tracked Since
Feb 18, 2026