Loco Translate
Moderate fix1 remedy
cpe:2.3:a:loco_translate_project:loco_translate:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.8.2
Loco Translate Path Traversal Vulnerability Allowing Unauthorized File Access
Vulnerability
Patched
A path traversal vulnerability has been identified in the Loco Translate plugin for WordPress, affecting all versions up to and including 2.8.2. The issue arises in the 'fsReference' AJAX route, where the 'findSourceFile()' method improperly normalizes user-supplied 'ref' paths containing directory traversal sequences. This flaw allows authenticated attackers with Translator-level access or higher to read arbitrary files with certain extensions from the server filesystem, outside the designated translation directory, while excluding sensitive files like wp-config.php.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, potentially including configuration files or other critical data.
Reproduction
To reproduce this vulnerability, an authenticated user with Translator-level access or higher can send a request to the 'fsReference' AJAX route with a 'ref' parameter that includes '../' sequences. The 'findSourceFile()' method will normalize the path and allow access to files outside the intended directory.
Remediation
Users are advised to update the Loco Translate plugin to version 2.8.3 or later.
Added: May 5, 2026, 3:34 AM
Updated: May 5, 2026, 3:34 AM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
0.6exploitability
6.4remediation
7.7relevance
7.5threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.