### [CVE-2021-24721](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24721)
![](https://img.shields.io/static/v1?label=Product&message=Loco%20Translate&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=2.5.4%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-94%20Improper%20Control%20of%20Generation%20of%20Code%20('Code%20Injection')&color=brightgreen)

### Description

The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations.

### POC

#### Reference
- https://wpscan.com/vulnerability/bc7d4774-fce8-4b0b-8015-8ef4c5b02d38

#### Github
- https://github.com/20142995/nuclei-templates