One Million Installs, One Forged Request
On July 15, 2026, Wordfence disclosed CVE-2026-15005, a high-severity vulnerability in Loco Translate, the go-to translation plugin for WordPress with more than a million active installations.
The flaw scores 8.8 on the CVSS scale and affects all versions up to and including 2.8.5.
What Went Wrong
The plugin's execTemplate function was missing proper nonce validation — the token WordPress uses to verify that a request genuinely comes from the logged-in user who appears to be making it.
Without that check, an attacker can craft a malicious link or page that, when visited by a logged-in administrator, silently sends a forged request through the admin's own browser. Combined with the plugin's template handling, that forged request can lead to remote code execution: the attacker's code running on your server.
The attack chain is uncomfortably simple:
- Admin is logged in to WordPress (as admins usually are).
- Admin clicks a link — in an email, a comment, a DM.
- The hidden request fires using the admin's session.
- The attacker's code executes on the site.
Why This Matters Even for "Small" Sites
Loco Translate is everywhere on non-English WordPress sites — it's the standard tool for translating theme texts. Many owners installed it once, translated three strings, and forgot it exists. Forgotten-but-active plugins are exactly where attacks like this thrive.
What You Should Do
- Update Loco Translate to 2.8.6 or later. The patch is available — this one has a fix, unlike some recent disclosures.
- Remove it if you no longer need it. Translations are stored independently; if you're done translating, the plugin can go.
- Audit your plugin list while you're there: every plugin you don't use is attack surface you're maintaining for free.
Updates with guarantee — including fixing whatever an update breaks — are part of every plan we offer. If your plugin list has grown wilder than your garden, we can prune it for you.
