Description
WordPress Plugin Loco Translate is prone to a vulnerability that lets attackers inject and execute arbitrary code because the application fails to sanitize user-supplied input. Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process. WordPress Plugin Loco Translate version 2.5.3 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 2.5.4 or latest
References
https://sploitus.com/exploit?id=WPEX-ID:BC7D4774-FCE8-4B0B-8015-8EF4C5B02D38
https://plugins.svn.wordpress.org/loco-translate/trunk/readme.txt
Related Vulnerabilities
PHP Other Vulnerability (CVE-2005-3392)
WordPress Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2016-6897)
WordPress Plugin Post Snippets Security Bypass (3.0.5)
WordPress Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-6819)
WordPress Plugin Ultimate WordPress Auction Multiple Vulnerabilities (4.0.5)