Back to overview

CVE-2026-15005

HIGH
8.8
CVSS 3.1
Description
The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by supplying a php://filter stream wrapper URI as the 'template' parameter, which bypasses path validation and is passed directly to the include sink in execTemplate() via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Metadata

CVE ID
CVE-2026-15005
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-07-07 20:30 UTC
Published
2026-07-16 08:26 UTC
Last updated
2026-07-16 12:26 UTC
Primary CWE
CWE-352
CWE-352 Cross-Site Request Forgery (CSRF)
Vendor / Product
timwhitlock / Loco Translate
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
timwhitlock Loco Translate 0 ≤ 2.8.5
Weakness (CWE)
CWESourceDescription
CWE-352 cna CWE-352 Cross-Site Request Forgery (CSRF)
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Back to overview