CVE-2026-15005
timwhitlock · Loco Translate
The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), which may allow an attacker to perform unauthorized actions on behalf of an authenticated administrator.
Executive summary
The Loco Translate plugin for WordPress is susceptible to a CSRF vulnerability that could allow an attacker to perform unauthorized actions on the platform.
Vulnerability
This is a CSRF vulnerability (CWE-352) present in the plugin's administrative controllers. An unauthenticated attacker can trick a logged-in administrator into performing unintended actions by enticing them to click a malicious link or visit a crafted website.
Business impact
The CVSS score of 8.8 highlights the critical nature of this vulnerability, as it allows attackers to bypass intended security controls. If successfully exploited, an attacker could change system settings or execute administrative tasks, potentially leading to site-wide disruption or unauthorized data modifications.
Remediation
Immediate Action: Update the Loco Translate plugin to the latest version beyond 2.8.5 to address the CSRF protection deficiency.
Proactive Monitoring: Monitor site activity logs for unexpected administrative changes or actions occurring during periods where no legitimate administrator is active.
Compensating Controls: Advise administrators to maintain strict browsing habits and utilize browser-based security extensions to mitigate the risk of CSRF attacks.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Due to the potential for administrative account compromise via CSRF, it is imperative to update the Loco Translate plugin immediately. Administrators should ensure that the plugin is running the latest version to protect against this request forgery vector.