Title: False Vulnerability Reports
Last modified: December 18, 2025

---

# False Vulnerability Reports

 *  Plugin Author [Tim W](https://wordpress.org/support/users/timwhitlock/)
 * (@timwhitlock)
 * [5 months, 3 weeks ago](https://wordpress.org/support/topic/false-vulnerability-reports/)
 * Recently I’ve received multiple reports that Loco Translate is affected by GHSA-
   882J-4VJ5-7VMJ / CVE-2024-29042. This is false.
 * This GHSA/CVE applies only to the translate npm package (Node.js), as confirmed
   by the original GitHub Security Advisory and OSV/NVD records. Loco Translate 
   is a PHP-based WordPress plugin, does not use npm or Node.js, and has no dependency
   on the affected package.
 * Source: [https://github.com/advisories/GHSA-882j-4vj5-7vmj](https://github.com/advisories/GHSA-882j-4vj5-7vmj)
 * If your malware scanner flags this, let the provider know their data produces
   a false positive.

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Ffalse-vulnerability-reports%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/loco-translate/assets/icon-256x256.png?rev=1000676)
 * [Loco Translate](https://wordpress.org/plugins/loco-translate/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/loco-translate/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/loco-translate/)
 * [Active Topics](https://wordpress.org/support/plugin/loco-translate/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/loco-translate/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/loco-translate/reviews/)

 * 0 replies
 * 1 participant
 * Last reply from: [Tim W](https://wordpress.org/support/users/timwhitlock/)
 * Last activity: [5 months, 3 weeks ago](https://wordpress.org/support/topic/false-vulnerability-reports/)
 * Status: not a support question