CVE-2026-15005

HIGH

CVSS v3

8.8

HIGH

EPSS Score

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by supplying a php://filter stream wrapper URI as the 'template' parameter, which bypasses path validation and is passed directly to the include sink in execTemplate() via a forged request gr

Technical Details

CVSS v3 Vector
3.1
Published
7/16/2026
Last Modified
7/16/2026

Frequently Asked Questions

What is CVE-2026-15005?

The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by supplying a php://filter stream wrapper URI as the 'template' parameter, which bypasses path validation and is passed directly to the include sink in execTemplate() via a forged request gr

Is CVE-2026-15005 actively exploited?

Active exploitation of CVE-2026-15005 has not been confirmed. The EPSS score is N/A%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2026-15005?

CVE-2026-15005 has a CVSS v3 base score of 8.8 (HIGH severity), with vector string 3.1.

Is CVE-2026-15005 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.