Description
The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_href’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-03-31
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Script Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability occurs in the Loco Translate WordPress plugin, where the update_href parameter is not properly sanitized or escaped. This allows an attacker to embed malicious JavaScript into that parameter, causing the script to run automatically in the victim’s browser when the link is clicked. The attack can be performed by a unauthenticated attacker, and the resulting client‑side code execution can lead to cookie theft, session hijacking, defacement, or execution of arbitrary browser‑based actions.

Affected Systems

Affected systems include the timwhitlock Loco Translate plugin for WordPress, versions 2.8.2 and earlier. Administrators should verify that they are running a version later than 2.8.2, as newer releases address the issue. The impact is limited to web pages that render the update_href approach; it does not provide a direct server‑side compromise.

Risk and Exploitability

The CVSS score of 6.1 classifies this as a moderate severity flaw. No EPSS score is published, and the vulnerability is not listed in KEV. The exploitation path is straightforward: an attacker crafts a link containing a malicious value for update_href and lures a user to click it. Because this requires only social engineering and does not rely on additional system weaknesses, the risk to sites that expose the parameter is non‑trivial. Administrators should treat this as a vulnerability that warrants prompt mitigation.

Generated by OpenCVE AI on March 31, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Loco Translate plugin to version 2.8.3 or later.
  • If an update cannot be applied immediately, disable or remove the Loco Translate plugin until a patched version is available.
  • Restrict administrative access to trusted users to limit exposure to malicious links containing the vulnerable parameter.

Generated by OpenCVE AI on March 31, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Timwhitlock
Timwhitlock loco Translate
Wordpress
Wordpress wordpress
Vendors & Products Timwhitlock
Timwhitlock loco Translate
Wordpress
Wordpress wordpress

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_href’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Loco Translate <= 2.8.2 - Reflected Cross-Site Scripting via 'update_href' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Timwhitlock Loco Translate
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:25.107Z

Reserved: 2026-03-13T17:12:22.894Z

Link: CVE-2026-4146

cve-icon Vulnrichment

Updated: 2026-03-31T15:04:46.656Z

cve-icon NVD

Status : Deferred

Published: 2026-03-31T05:16:11.453

Modified: 2026-04-24T18:11:16.583

Link: CVE-2026-4146

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:39:30Z

Weaknesses