WordPress Loco Translate plugin <= 2.5.3 - Authenticated PHP Code Injection vulnerability

loco-translate

Software
Loco Translate
Vulnerable Versions
<= 2.5.3
Fixed in version
2.5.4
CVE
CVE-2021-24721
Credits
Classification
Direct static code injection
OWASP Top 10
A1: Injection
Disclosure Date
2021-10-11
CVSS 3.0 score

7.2

High

Requires translator (custom plugin role).

Are your websites subject to this vulnerability?

Details

Authenticated PHP Code Injection vulnerability discovered by Tomi Ashari in WordPress Loco Translate plugin (versions <= 2.5.3).

Solution

Update the WordPress Loco Translate plugin to the latest available version (at least 2.5.4).

Found a vulnerability that puts your sites at risk?

Found a vulnerability? Help us secure the web and join our community of ethical hackers.

Are you the developer of this software? Hire our researchers for a thorough security audit.