Plugin Author
Tim W
(@timwhitlock)
WordFence have not disclosed their finding yet.
The “double extension” reference means a file named “something.php.pot” would be allowed to be saved by the plugin and potentially executed by PHP. Most server setups should disallow this, but it is worth checking.
Note that an attacker would also require a login to your WordPress admin and permission to access Loco Translate functions. The plugin does not allow files to be written without authentication.
If you’re worried, check for files with double extensions like “.php.po” etc.. and ensure your web server does not attempt to parse them as PHP. As a general security measure you should limit PHP execution strictly to files that require it.
If you would like any more detail on the severity or risk level associated with this, please ask WordFence. For reasons given above, my personal opinion is that the risk is low, but I am not a security researcher and their opinion may differ.
Thread Starter
B
(@blclda)
Hey Tim, thank you for the explanation, appreciate it.
