{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/loco-translate--2.8.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-15005"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Loco Translate (\u003c 2.8.6)","WordPress"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","csrf","rce","cve"],"_cs_type":"advisory","_cs_vendors":["WordPress Foundation"],"content_html":"\u003cp\u003eA critical Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2026-15005, has been discovered in the Loco Translate plugin for WordPress. This flaw impacts all versions of the plugin up to and including 2.8.5. The vulnerability arises from missing or incorrect nonce validation within the \u003ccode\u003eexecTemplate\u003c/code\u003e function. This weakness enables unauthenticated attackers to execute arbitrary PHP code on the server. By exploiting this, an attacker can craft a malicious link that, when clicked by a logged-in site administrator, bypasses path validation by supplying a \u003ccode\u003ephp://filter\u003c/code\u003e stream wrapper URI as the \u003ccode\u003etemplate\u003c/code\u003e parameter. This malicious URI is then directly passed to an \u003ccode\u003einclude\u003c/code\u003e sink within the \u003ccode\u003eexecTemplate()\u003c/code\u003e function, resulting in remote code execution and full compromise of the affected WordPress instance. This vulnerability poses a significant risk to any organization utilizing the Loco Translate plugin on their WordPress sites.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious URL designed to exploit the CSRF vulnerability, embedding a \u003ccode\u003ephp://filter\u003c/code\u003e stream wrapper URI within the \u003ccode\u003etemplate\u003c/code\u003e parameter intended for the \u003ccode\u003eexecTemplate\u003c/code\u003e function of the Loco Translate plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker then socially engineers a site administrator, for instance via a phishing email or message, to trick them into clicking the crafted malicious link.\u003c/li\u003e\n\u003cli\u003eThe administrator, while logged into their vulnerable WordPress site, clicks the malicious link.\u003c/li\u003e\n\u003cli\u003eThe administrator's browser automatically sends a forged request to the WordPress site, including the attacker-controlled parameters.\u003c/li\u003e\n\u003cli\u003eDue to the absence of or incorrect nonce validation in the Loco Translate plugin's \u003ccode\u003eexecTemplate\u003c/code\u003e function, the WordPress application processes this forged request as legitimate.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ephp://filter\u003c/code\u003e stream wrapper URI provided in the \u003ccode\u003etemplate\u003c/code\u003e parameter successfully bypasses the intended path validation mechanisms within the plugin.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eexecTemplate()\u003c/code\u003e function then passes the malicious \u003ccode\u003ephp://filter\u003c/code\u003e URI directly to an \u003ccode\u003einclude\u003c/code\u003e sink.\u003c/li\u003e\n\u003cli\u003eThe WordPress server executes arbitrary PHP code specified by the attacker within the \u003ccode\u003ephp://filter\u003c/code\u003e stream, leading to remote code execution and full control over the compromised website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15005 leads to arbitrary PHP code execution on the compromised WordPress server. This grants attackers full control over the affected website, allowing them to deface content, inject malicious scripts, steal sensitive data from the database, or deploy further malware. Such access can lead to significant financial and reputational damage for affected organizations. The compromise could also serve as an initial foothold for attackers to pivot to other systems within the network. Any organization running the vulnerable Loco Translate plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-15005 immediately by updating the Loco Translate plugin for WordPress to version 2.8.6 or higher.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect CVE-2026-15005 Exploitation - Loco Translate CSRF to RCE\u0026quot; to your web server logs or WAF to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strong user awareness training programs to educate administrators about the risks of phishing and clicking suspicious links, which is crucial for the initial access vector of this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T09:18:17Z","date_published":"2026-07-16T09:18:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15005-loco-translate/","summary":"A Cross-Site Request Forgery vulnerability (CVE-2026-15005) in the WordPress Loco Translate plugin, affecting all versions up to 2.8.5, allows unauthenticated attackers to achieve remote code execution by tricking an administrator into clicking a malicious link, leading to arbitrary PHP code execution via `php://filter` stream wrapper abuse.","title":"CVE-2026-15005 - WordPress Loco Translate Plugin Cross-Site Request Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15005-loco-translate/"}],"language":"en","title":"CraftedSignal Threat Feed - Loco Translate (\u003c 2.8.6)","version":"https://jsonfeed.org/version/1.1"}