CVE-2021-24721
08.11.2021, 18:15
The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations.
| Vendor | Product | Version |
|---|---|---|
| loco_translate_project | loco_translate | 𝑥 < 2.5.4 |
𝑥
= Vulnerable software versions