{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4146", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T17:12:22.894Z", "datePublished": "2026-03-31T04:25:32.829Z", "dateUpdated": "2026-04-08T17:34:25.107Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:25.107Z"}, "affected": [{"vendor": "timwhitlock", "product": "Loco Translate", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.8.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018update_href\u2019 parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Loco Translate <= 2.8.2 - Reflected Cross-Site Scripting via 'update_href' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/faa6c744-7586-47ee-b2ce-af972ee8b4f7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.2/tpl/admin/config/version.php#L17"}, {"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.2/src/mvc/View.php#L259"}, {"url": "https://plugins.trac.wordpress.org/changeset/3482475/loco-translate"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jack Pas"}], "timeline": [{"time": "2026-03-30T15:35:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T15:04:42.791685Z", "id": "CVE-2026-4146", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:04:48.727Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4146", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T15:04:42.791685Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:04:46.656Z"}}], "cna": {"title": "Loco Translate <= 2.8.2 - Reflected Cross-Site Scripting via 'update_href' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Jack Pas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "timwhitlock", "product": "Loco Translate", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.8.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-30T15:35:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/faa6c744-7586-47ee-b2ce-af972ee8b4f7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.2/tpl/admin/config/version.php#L17"}, {"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.2/src/mvc/View.php#L259"}, {"url": "https://plugins.trac.wordpress.org/changeset/3482475/loco-translate"}], "descriptions": [{"lang": "en", "value": "The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018update_href\u2019 parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:25.107Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4146", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:25.107Z", "dateReserved": "2026-03-13T17:12:22.894Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-31T04:25:32.829Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018update_href\u2019 parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Loco Translate para WordPress es vulnerable a cross-site scripting reflejado a trav\u00e9s del par\u00e1metro 'update_href' en todas las versiones hasta la 2.8.2, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-4146", "lastModified": "2026-04-24T18:11:16.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-31T05:16:11.453", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.2/src/mvc/View.php#L259"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.2/tpl/admin/config/version.php#L17"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3482475/loco-translate"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/faa6c744-7586-47ee-b2ce-af972ee8b4f7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.8.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Loco Translate", "source": "cna", "vendor": "timwhitlock"}, "product": "loco_translate", "vendor": "timwhitlock"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-31T06:20:37.649586+00:00", "value": {"mitigation_remediation": ["Upgrade the Loco Translate plugin to version 2.8.3 or later.", "If an update cannot be applied immediately, disable or remove the Loco Translate plugin until a patched version is available.", "Restrict administrative access to trusted users to limit exposure to malicious links containing the vulnerable parameter."], "summary": {"action": "Patch Immediately", "impact": "Client\u2011Side Script Execution"}, "threat_synthesis": {"affected_systems": "Affected systems include the timwhitlock Loco Translate plugin for WordPress, versions 2.8.2 and earlier. Administrators should verify that they are running a version later than 2.8.2, as newer releases address the issue. The impact is limited to web pages that render the update_href approach; it does not provide a direct server\u2011side compromise.", "description_and_impact": "The vulnerability occurs in the Loco Translate WordPress plugin, where the update_href parameter is not properly sanitized or escaped. This allows an attacker to embed malicious JavaScript into that parameter, causing the script to run automatically in the victim\u2019s browser when the link is clicked. The attack can be performed by a unauthenticated attacker, and the resulting client\u2011side code execution can lead to cookie theft, session hijacking, defacement, or execution of arbitrary browser\u2011based actions.", "risk_and_exploitability": "The CVSS score of 6.1 classifies this as a moderate severity flaw. No EPSS score is published, and the vulnerability is not listed in KEV. The exploitation path is straightforward: an attacker crafts a link containing a malicious value for update_href and lures a user to click it. Because this requires only social engineering and does not rely on additional system weaknesses, the risk to sites that expose the parameter is non\u2011trivial. Administrators should treat this as a vulnerability that warrants prompt mitigation."}}}}, "created": "2026-03-31T19:56:15.626123+00:00", "updated": "2026-03-31T20:39:30.734253+00:00", "vendors": ["timwhitlock", "timwhitlock$PRODUCT$loco_translate", "wordpress", "wordpress$PRODUCT$wordpress"]}