Path Traversal Vulnerability in Loco Translate Plugin for WordPress
CVE-2026-1921

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Loco Translate
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-1921?

The Loco Translate plugin for WordPress suffers from a Path Traversal vulnerability that affects versions up to and including 2.8.2. This flaw arises from the findSourceFile() method, which improperly handles user-supplied ref paths containing directory traversal sequences. Authenticated users with Translator-level access can exploit this vulnerability to access arbitrary files on the server, potentially exposing sensitive data. Although it is designed to limit access to the translation directory, incorrect path normalization allows attackers to bypass these restrictions, thereby increasing the risk of data leaks.

Affected Version(s)

Loco Translate 0 <= 2.8.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/loco-translate...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Feb 4, 2026

Credit

Angus Girvan

CVE-2026-1921 Data

JSON