The Loco Translate plugin for WordPress contains a path traversal vulnerability in the fsReference AJAX route. The findSourceFile() method normalizes user-supplied ref paths that contain ../ sequences without ensuring the resolved path stays within the intended translation bundle. This flaw allows an attacker who is authenticated with Translator-level access or higher to read arbitrary .php, .js, .json, and .twig files from the server filesystem outside the translation directory, though wp-config.php files are excluded. The vulnerability is a classic directory traversal flaw (CWE‑22) leading to unprivileged file disclosure.

Any WordPress site running the timwhitlock Loco Translate plugin at version 2.8.2 or earlier is affected. The plugin grants a custom loco_admin capability to the translator role and administrators by default, so any user with that capability can exploit the flaw. The vulnerability applies to all WordPress installations that use the vulnerable version without an update to 2.8.3 or later.

The CVSS score of 4.9 places the flaw in the Medium range, and the exploit probability is not quantified by EPSS. Because the attack requires authenticated access with translator or higher roles, the attack surface is limited; however, if an attacker can compromise a translator account or elevate privileges, they can read sensitive configuration files and obtain credentials. The flaw is not listed in the CISA KEV catalog, suggesting no widespread, active exploitation at this time. Nonetheless, the existence of a path traversal bug that permits file disclosure warrants prompt remediation.