<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Loco Translate (&lt; 2.8.6) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/loco-translate--2.8.6/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 09:18:17 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/loco-translate--2.8.6/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-15005 - WordPress Loco Translate Plugin Cross-Site Request Forgery Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15005-loco-translate/</link><pubDate>Thu, 16 Jul 2026 09:18:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15005-loco-translate/</guid><description>A Cross-Site Request Forgery vulnerability (CVE-2026-15005) in the WordPress Loco Translate plugin, affecting all versions up to 2.8.5, allows unauthenticated attackers to achieve remote code execution by tricking an administrator into clicking a malicious link, leading to arbitrary PHP code execution via `php://filter` stream wrapper abuse.</description><content:encoded><![CDATA[<p>A critical Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2026-15005, has been discovered in the Loco Translate plugin for WordPress. This flaw impacts all versions of the plugin up to and including 2.8.5. The vulnerability arises from missing or incorrect nonce validation within the <code>execTemplate</code> function. This weakness enables unauthenticated attackers to execute arbitrary PHP code on the server. By exploiting this, an attacker can craft a malicious link that, when clicked by a logged-in site administrator, bypasses path validation by supplying a <code>php://filter</code> stream wrapper URI as the <code>template</code> parameter. This malicious URI is then directly passed to an <code>include</code> sink within the <code>execTemplate()</code> function, resulting in remote code execution and full compromise of the affected WordPress instance. This vulnerability poses a significant risk to any organization utilizing the Loco Translate plugin on their WordPress sites.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious URL designed to exploit the CSRF vulnerability, embedding a <code>php://filter</code> stream wrapper URI within the <code>template</code> parameter intended for the <code>execTemplate</code> function of the Loco Translate plugin.</li>
<li>The attacker then socially engineers a site administrator, for instance via a phishing email or message, to trick them into clicking the crafted malicious link.</li>
<li>The administrator, while logged into their vulnerable WordPress site, clicks the malicious link.</li>
<li>The administrator's browser automatically sends a forged request to the WordPress site, including the attacker-controlled parameters.</li>
<li>Due to the absence of or incorrect nonce validation in the Loco Translate plugin's <code>execTemplate</code> function, the WordPress application processes this forged request as legitimate.</li>
<li>The <code>php://filter</code> stream wrapper URI provided in the <code>template</code> parameter successfully bypasses the intended path validation mechanisms within the plugin.</li>
<li>The vulnerable <code>execTemplate()</code> function then passes the malicious <code>php://filter</code> URI directly to an <code>include</code> sink.</li>
<li>The WordPress server executes arbitrary PHP code specified by the attacker within the <code>php://filter</code> stream, leading to remote code execution and full control over the compromised website.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15005 leads to arbitrary PHP code execution on the compromised WordPress server. This grants attackers full control over the affected website, allowing them to deface content, inject malicious scripts, steal sensitive data from the database, or deploy further malware. Such access can lead to significant financial and reputational damage for affected organizations. The compromise could also serve as an initial foothold for attackers to pivot to other systems within the network. Any organization running the vulnerable Loco Translate plugin is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-15005 immediately by updating the Loco Translate plugin for WordPress to version 2.8.6 or higher.</li>
<li>Deploy the Sigma rule &quot;Detect CVE-2026-15005 Exploitation - Loco Translate CSRF to RCE&quot; to your web server logs or WAF to detect exploitation attempts.</li>
<li>Implement strong user awareness training programs to educate administrators about the risks of phishing and clicking suspicious links, which is crucial for the initial access vector of this vulnerability.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>csrf</category><category>rce</category><category>cve</category></item></channel></rss>