Skip to content
Threat Feed
high advisory

CVE-2026-15005 - WordPress Loco Translate Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery vulnerability (CVE-2026-15005) in the WordPress Loco Translate plugin, affecting all versions up to 2.8.5, allows unauthenticated attackers to achieve remote code execution by tricking an administrator into clicking a malicious link, leading to arbitrary PHP code execution via `php://filter` stream wrapper abuse.

A critical Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2026-15005, has been discovered in the Loco Translate plugin for WordPress. This flaw impacts all versions of the plugin up to and including 2.8.5. The vulnerability arises from missing or incorrect nonce validation within the execTemplate function. This weakness enables unauthenticated attackers to execute arbitrary PHP code on the server. By exploiting this, an attacker can craft a malicious link that, when clicked by a logged-in site administrator, bypasses path validation by supplying a php://filter stream wrapper URI as the template parameter. This malicious URI is then directly passed to an include sink within the execTemplate() function, resulting in remote code execution and full compromise of the affected WordPress instance. This vulnerability poses a significant risk to any organization utilizing the Loco Translate plugin on their WordPress sites.

Attack Chain

  1. An attacker crafts a malicious URL designed to exploit the CSRF vulnerability, embedding a php://filter stream wrapper URI within the template parameter intended for the execTemplate function of the Loco Translate plugin.
  2. The attacker then socially engineers a site administrator, for instance via a phishing email or message, to trick them into clicking the crafted malicious link.
  3. The administrator, while logged into their vulnerable WordPress site, clicks the malicious link.
  4. The administrator's browser automatically sends a forged request to the WordPress site, including the attacker-controlled parameters.
  5. Due to the absence of or incorrect nonce validation in the Loco Translate plugin's execTemplate function, the WordPress application processes this forged request as legitimate.
  6. The php://filter stream wrapper URI provided in the template parameter successfully bypasses the intended path validation mechanisms within the plugin.
  7. The vulnerable execTemplate() function then passes the malicious php://filter URI directly to an include sink.
  8. The WordPress server executes arbitrary PHP code specified by the attacker within the php://filter stream, leading to remote code execution and full control over the compromised website.

Impact

Successful exploitation of CVE-2026-15005 leads to arbitrary PHP code execution on the compromised WordPress server. This grants attackers full control over the affected website, allowing them to deface content, inject malicious scripts, steal sensitive data from the database, or deploy further malware. Such access can lead to significant financial and reputational damage for affected organizations. The compromise could also serve as an initial foothold for attackers to pivot to other systems within the network. Any organization running the vulnerable Loco Translate plugin is at risk.

Recommendation

  • Patch CVE-2026-15005 immediately by updating the Loco Translate plugin for WordPress to version 2.8.6 or higher.
  • Deploy the Sigma rule "Detect CVE-2026-15005 Exploitation - Loco Translate CSRF to RCE" to your web server logs or WAF to detect exploitation attempts.
  • Implement strong user awareness training programs to educate administrators about the risks of phishing and clicking suspicious links, which is crucial for the initial access vector of this vulnerability.

Detection coverage 1

Detect CVE-2026-15005 Exploitation - Loco Translate CSRF to RCE

high

Detects exploitation attempts for CVE-2026-15005, a CSRF vulnerability in the WordPress Loco Translate plugin leading to remote code execution via php://filter stream wrapper abuse.

sigma tactics: execution, initial_access techniques: T1059, T1566 sources: webserver

Detection queries are available on the platform. Get full rules →