← Back to News  ·  July 18, 2026

Loco Translate Flaw Puts Over 1 Million WordPress Sites at Risk of Remote Code Execution

One Million Installs, One Forged Request

On July 15, 2026, Wordfence disclosed CVE-2026-15005, a high-severity vulnerability in Loco Translate, the go-to translation plugin for WordPress with more than a million active installations.

The flaw scores 8.8 on the CVSS scale and affects all versions up to and including 2.8.5.

What Went Wrong

The plugin's execTemplate function was missing proper nonce validation — the token WordPress uses to verify that a request genuinely comes from the logged-in user who appears to be making it.

Without that check, an attacker can craft a malicious link or page that, when visited by a logged-in administrator, silently sends a forged request through the admin's own browser. Combined with the plugin's template handling, that forged request can lead to remote code execution: the attacker's code running on your server.

The attack chain is uncomfortably simple:

  1. Admin is logged in to WordPress (as admins usually are).
  2. Admin clicks a link — in an email, a comment, a DM.
  3. The hidden request fires using the admin's session.
  4. The attacker's code executes on the site.

Why This Matters Even for "Small" Sites

Loco Translate is everywhere on non-English WordPress sites — it's the standard tool for translating theme texts. Many owners installed it once, translated three strings, and forgot it exists. Forgotten-but-active plugins are exactly where attacks like this thrive.

What You Should Do

  1. Update Loco Translate to 2.8.6 or later. The patch is available — this one has a fix, unlike some recent disclosures.
  2. Remove it if you no longer need it. Translations are stored independently; if you're done translating, the plugin can go.
  3. Audit your plugin list while you're there: every plugin you don't use is attack surface you're maintaining for free.

Updates with guarantee — including fixing whatever an update breaks — are part of every plan we offer. If your plugin list has grown wilder than your garden, we can prune it for you.

Originally reported by Wordfence

Frequently Asked Questions

What is Loco Translate and why is it installed on so many WordPress sites?

Loco Translate is a free plugin used to translate WordPress themes and plugins directly from the admin panel, with over one million active installations. It's especially common on non-English sites — including most Spanish-language WordPress sites that customize their theme's texts. Many site owners don't even remember installing it, because developers often add it during the site build and leave it active.

How does a CSRF vulnerability lead to remote code execution?

CSRF (Cross-Site Request Forgery) tricks a logged-in administrator's browser into sending a request they never intended — for example, by visiting a malicious link while logged in to WordPress. In this case, the forged request abuses Loco Translate's template function to execute attacker-controlled code on the server. In short: one wrong click by an admin, and the attacker can run code on your site.

I have Loco Translate installed. What exactly should I do?

Update it to version 2.8.6 or later right now — the fix is already published. If you no longer use the plugin (your translations are done and stored), consider removing it entirely: fewer active plugins means less attack surface. Either way, avoid clicking unknown links while logged in as administrator, which is the delivery mechanism for CSRF attacks.

How can I keep up with plugin vulnerabilities without checking security news every day?

Automatic updates help, but they can break your site when a plugin update is incompatible with your theme or other plugins. The safer setup is managed updates: someone (or some service) that tracks vulnerability disclosures, applies patches promptly, and can fix incompatibilities when an update breaks something. That's the core of any decent WordPress maintenance plan.

Keeping a website secure requires constant monitoring, updates and vulnerability management.

See our protection plans →

Let's talk!

We would like to help you.

+1 (857) 365-6734

Dobke