The Quran multilanguage Text & Audio plugin suffers from an improper neutralization of user‑supplied input before rendering it in HTML. This flaw allows stored cross‑site scripting, whereby malicious JavaScript can be inserted by an attacker and subsequently executed in the browsers of any site visitor that views the affected content. Because the payload is stored, the vulnerability does not require the attacker to act on each login; the malicious code is present whenever the stored data is displayed.

WordPress sites that have installed the karim42 Quran multilanguage Text & Audio plugin version 2.3.23 or earlier are affected. The vulnerability applies to any instance where the plugin is active and accepts user supplied text.

With a CVSS score of 5.9 the severity is considered medium, though the EPSS score of less than 1% indicates that exploit attempts have been uncommon. Because the plugin is not listed in the CISA KEV catalog, no mass‑distribution of exploit code is recorded. Attackers would have to inject malicious payload via the plugin’s content input interface – the only way to persist the script – then the payload would be served to all visitors who view that content. The impact is limited to affected visitors’ browsers; remote compromise of the server itself is not implied by the description.