The vulnerability arises from improper validation of user-specified paths in the `findSourceFile()` method of the Loco Translate plugin. When a user-supplied `ref` path contains directory traversal sequences like `../`, the function attempts to normalize the path without adequately confirming that it confines to the permitted directories. Despite the restriction against accessing `wp-config.php`, this oversight allows users with sufficient privileges, not just administrators but any role with the `loco_admin` capability (including the default Translator role), to access sensitive files such as PHP, JavaScript, JSON, and Twig files. This access can leak sensitive configuration or application logic details, posing significant security risks. Notably, this vulnerability impacts all versions of the plugin up to and including 2.8.2.

To mitigate this risk, limit the `loco_admin` capability to essential roles only, removing it from non-administrative users where possible. Consider using a Web Application Firewall (WAF) to detect and block suspicious path traversal attempts. Regularly monitor user activities for unauthorized file access patterns.