Cross-Site Request Forgery Vulnerability in Loco Translate for WordPress
CVE-2026-15005

8.8HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
16 July 2026

What is CVE-2026-15005?

The Loco Translate plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit Cross-Site Request Forgery due to inadequate nonce validation in the execTemplate function. This flaw enables attackers to inject and execute arbitrary PHP code on the server, which can occur if they successfully trick an administrator into executing a malicious request, such as clicking a link. The vulnerability affects all versions up to and including 2.8.5 and poses significant risks if left unaddressed.

Affected Version(s)

Loco Translate 0 <= 2.8.5

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

mikemyers
.