CVE-2026-15005 in Loco Translate Plugininfo

Summary

by MITRE • 07/16/2026

The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by supplying a php://filter stream wrapper URI as the 'template' parameter, which bypasses path validation and is passed directly to the include sink in execTemplate() via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability in the Loco Translate plugin for WordPress represents a critical cross-site request forgery weakness that affects all versions up to and including 2.8.5. This flaw resides within the execTemplate function where nonce validation is either absent or improperly implemented, creating a pathway for unauthenticated attackers to exploit the system. The security breach occurs through the manipulation of the 'template' parameter which accepts php://filter stream wrapper URIs, bypassing normal path validation mechanisms that should prevent arbitrary file inclusion attacks.

This vulnerability operates under the principle of cross-site request forgery as defined by CWE-352, where an attacker crafts malicious requests that trick authenticated users into executing unintended actions. The specific implementation flaw allows attackers to directly pass malicious URI strings to the include sink within execTemplate(), effectively circumventing standard input sanitization and validation procedures. The php://filter stream wrapper functionality enables attackers to manipulate data streams and potentially execute arbitrary PHP code on the target server, making this a severe remote code execution vulnerability.

The operational impact of this vulnerability extends beyond simple privilege escalation as it allows attackers to gain complete control over the affected WordPress installation. When an administrator performs routine actions such as clicking on malicious links or visiting compromised websites, the forged requests can execute without proper authentication checks. This creates a significant risk for website owners who may not be aware that their administrators are vulnerable to such attacks through seemingly innocuous interactions with external content. The attack vector specifically targets the administrative privilege escalation path where legitimate user actions inadvertently trigger malicious code execution.

Mitigation strategies must address both the immediate vulnerability and broader security posture of affected systems. Immediate remediation involves updating to a patched version of the Loco Translate plugin, though administrators should verify that updates are properly applied and test for compatibility issues. The implementation of proper nonce validation mechanisms within the execTemplate function is essential to prevent unauthorized requests from being processed. Additionally, implementing web application firewalls with rules specifically targeting php://filter stream wrapper usage can provide additional protective layers against exploitation attempts. Organizations should also consider network-level monitoring for suspicious URI patterns and implement principle of least privilege access controls to limit potential damage from successful exploitation attempts.

This vulnerability aligns with several ATT&CK techniques including T1059.007 for command and scripting interpreter and T1566 for credential harvesting through social engineering approaches that exploit the CSRF weakness. The attack chain typically follows a pattern where threat actors first identify vulnerable WordPress installations, craft malicious payloads using php://filter wrappers, and then deliver these payloads through phishing campaigns or compromised websites to trick administrators into executing the malicious code. Security teams should implement regular vulnerability scanning processes specifically targeting WordPress plugins and their known vulnerabilities to prevent such exploitation attempts from succeeding in production environments.

Responsible

Wordfence

Reservation

07/07/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!