Vulnerability Description
The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/Fs
- https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/Fs
- https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsRefer
- https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsRefer
- https://plugins.trac.wordpress.org/changeset/3482475/loco-translate/trunk/tpl/ad
- https://plugins.trac.wordpress.org/changeset?old_path=%2Floco-translate/tags/2.8
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f9ff3058-a08c-40ed-b75
FAQ
What is CVE-2026-1921?
CVE-2026-1921 is a vulnerability with a CVSS score of 4.9 (MEDIUM). The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method norma...
How severe is CVE-2026-1921?
CVE-2026-1921 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-1921?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.