CVE-2026-1921 Overview
CVE-2026-1921 is a path traversal vulnerability [CWE-22] affecting the Loco Translate plugin for WordPress in all versions up to and including 2.8.2. The flaw resides in the fsReference AJAX route, where the findSourceFile() method normalizes user-supplied ref paths containing ../ directory traversal sequences without verifying that the resolved path stays within the intended bundle or content directory. Authenticated attackers holding Translator-level access or higher can read arbitrary .php, .js, .json, and .twig files from the server filesystem. Files named wp-config.php are explicitly excluded by the plugin.
Critical Impact
Authenticated users with the loco_admin capability can read sensitive PHP source files and configuration data outside the translation directory, exposing application secrets, credentials embedded in code, and proprietary plugin or theme logic.
Affected Products
- Loco Translate plugin for WordPress versions up to and including 2.8.2
- WordPress sites granting the translator role or loco_admin capability
- WordPress administrator accounts using Loco Translate 2.8.2 or earlier
Discovery Timeline
- 2026-05-05 - CVE-2026-1921 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-1921
Vulnerability Analysis
The vulnerability resides in the FsReferenceController.php file within the Loco Translate plugin. The controller exposes an AJAX endpoint that accepts a ref parameter representing a file reference within a translation bundle. The findSourceFile() method normalizes the supplied path but fails to validate that the resolved location remains within the expected bundle or content directory.
An attacker holding the custom loco_admin capability — granted to the translator role and WordPress administrators by default — can submit crafted ref values containing ../ sequences. The normalization step collapses these traversal segments into an absolute filesystem path that escapes the intended directory boundary. The plugin then returns the file contents to the requester.
The scope is limited to file extensions the controller treats as source files: .php, .js, .json, and .twig. The plugin maintains a denylist that blocks files literally named wp-config.php, but other sensitive PHP files containing database credentials, API keys, or hardcoded secrets remain accessible.
Root Cause
The root cause is missing canonicalization-and-containment validation. The findSourceFile() method normalizes input but does not call a check such as str_starts_with($resolved, $allowedBase) to confirm the resolved path stays inside the permitted directory. This is a textbook [CWE-22] Improper Limitation of a Pathname to a Restricted Directory.
Attack Vector
Exploitation requires an authenticated session with the loco_admin capability. The attacker issues an authenticated AJAX request to the fsReference route with a ref parameter constructed to traverse upward from the plugin or content directory. The server returns the contents of the targeted .php, .js, .json, or .twig file. The vector is network-based and does not require user interaction.
Full technical context is available in the Wordfence Vulnerability Report and the Loco Translate FsReferenceController source.
Detection Methods for CVE-2026-1921
Indicators of Compromise
- POST requests to admin-ajax.php with action=loco_json or related Loco Translate AJAX actions containing ../ sequences in the ref parameter.
- HTTP request bodies referencing absolute paths or escaping the wp-content/plugins/ or wp-content/themes/ prefix.
- Unusual outbound responses returning .php source content to authenticated low-privilege users.
Detection Strategies
- Inspect WordPress access logs for admin-ajax.php requests originating from translator role accounts and parse query bodies for traversal patterns.
- Apply Web Application Firewall (WAF) rules that match ..%2f, ../, and URL-encoded traversal variants in Loco Translate AJAX parameters.
- Audit accounts holding the loco_admin capability and correlate their AJAX activity against expected translation workflows.
Monitoring Recommendations
- Forward WordPress and webserver logs to a centralized logging or SIEM platform and alert on anomalous Loco Translate AJAX traffic.
- Track the Loco Translate plugin version across managed WordPress estates and flag installations at or below 2.8.2.
- Monitor file read patterns on the WordPress host for unexpected access to PHP files outside the plugin's translation directories.
How to Mitigate CVE-2026-1921
Immediate Actions Required
- Upgrade Loco Translate to a version newer than 2.8.2 as published in the vendor change set from 2.8.2 to 2.8.3.
- Review and reduce the number of accounts assigned the translator role or the loco_admin capability.
- Rotate any secrets, API keys, or database credentials that may have been exposed in readable PHP, JS, JSON, or Twig files.
Patch Information
The maintainers addressed the issue in the Loco Translate 2.8.3 release. The fix is reflected in the plugin change set 3482475 and the diff between tags 2.8.2 and 2.8.3. Site operators should update through the WordPress plugin manager or by deploying the patched release to their managed WordPress fleet.
Workarounds
- Temporarily revoke the loco_admin capability from non-administrative roles until the plugin is updated.
- Deactivate the Loco Translate plugin on production sites that cannot be patched immediately.
- Deploy WAF rules that block ../ and URL-encoded traversal sequences in ref parameters submitted to admin-ajax.php.
# Example WAF rule (ModSecurity) blocking traversal in Loco Translate ref parameter
SecRule ARGS:ref "@rx \.\./|%2e%2e%2f" \
"id:1002026,\
phase:2,\
deny,\
status:403,\
msg:'CVE-2026-1921 Loco Translate path traversal attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
