🟠 《高危安全漏洞:CVE-2026-15005》

CVSS 评分: 高危(8.8)  状态: Received  发布时间: 2026-07-16


漏洞描述

The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by supplying a php://filter stream wrapper URI as the 'template' parameter, which bypasses path validation and is passed directly to the include sink in execTemplate() via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.


🔍 技术细节

字段
CVE ID CVE-2026-15005
CVSS 评分 8.8 🟠
严重程度 高危
CVSS 向量 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE 分类 CWE-352
发布时间 2026-07-16
最后更新 2026-07-16
状态 Received
数据来源 security@wordfence.com

🔗 参考链接