Threat Entry Updated 2026-04-01

CVE-2026-4146 - Loco Translate Plugin

The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_href’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Loco Translate

CVE-2026-4146

MEDIUM CVSS 6.1 2026-03-31

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-0765 - Loco Translate Plugin

The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.

PLUGIN Loco Translate

CVE-2022-0765

MEDIUM CVSS 5.4 2022-04-18

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24721 - Loco Translate Plugin

The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations.

PLUGIN Loco Translate

CVE-2021-24721

MEDIUM CVSS 6.5 2021-11-08

Risk Score

Open Full Technical Breakdown