The vulnerability is a classic Cross‑Site Request Forgery (CWE‑352) in the WordPress GlobalQuran plugin that allows an attacker to modify plugin settings without authorization. By forging a request that a logged‑in, authenticated user submits to the settings endpoint, the attacker can change configuration data, potentially altering how the plugin operates or how it presents content, which can affect the integrity and availability of the WordPress site. Based on the description, it is inferred that an authenticated session is required for this CSRF to succeed.

The flaw affects all releases of the GlobalQuran plugin up to and including version 1.0. The vendor listed is IbasiT and the product is GlobalQuran. Any WordPress site that has this plugin installed at a vulnerable version is at risk.

The CVSS score is 4.3, reflecting a medium severity that requires authenticated access. The EPSS score of less than 1% indicates a low probability of exploitation observed in the field, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker needs an authenticated admin user to exploit this CSRF. The likely attack vector requires the attacker to either trick an authenticated admin user into visiting a malicious page or to have the admin be logged in while the CSRF request is delivered. Because the flaw is a CSRF, it is easier to exploit than remote code execution but still requires user interaction; thus, the overall risk is moderate but non‑negligible.