The Quran Gateway plugin for WordPress suffers from a Cross‑Site Request Forgery flaw caused by a missing nonce check in its settings update handler. This flaw allows an attacker who can trick a site administrator into clicking a crafted link to change the plugin’s display settings without authentication. The consequence is a loss of integrity of configuration data; affected settings may redirect users or alter content presentation, potentially impacting user experience and trust. No remote code execution or data exfiltration is provided by the flaw, but the integrity impact can be significant when the plugin controls key on‑site text or redirects.

The vulnerability exists in all releases of the Quran Gateway plugin up to and including version 1.5, distributed by the vendor edckwt. Systems running WordPress with this plugin installed are affected, regardless of the WordPress core version. The vendor’s product name is Quran Gateway; no other vendors are impacted.

The CVSS score of 4.3 indicates a moderate severity, largely because the flaw requires the victim to be an authenticated administrator. The EPSS score of less than 1 % suggests a very low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be an HTTP request that an administrator unknowingly submits, perhaps through a malicious link or embed. Exploitation would require social engineering of a site admin, and the damage is limited to configuration changes rather than full server compromise.