Description
The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran_live_render() function of quran-live.php receives shortcode attributes and passes them directly through shortcode_atts() and extract() without any sanitization. These values are then passed to Render_Quran_Live::render_verse_quran_live() where they are echoed directly into inline <script> blocks using PHP short tags (<?=$cheikh;?> and <?=$lang;?>) at lines 191, 216, 217, 245, and 246 of Class_QuranLive.php. Since the output occurs inside a JavaScript context within <script> tags, an attacker can break out of the JavaScript string and inject arbitrary script code. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Quran Live Multilanguage WordPress plugin is vulnerable to stored Cross‑Site Scripting because the shortcodes 'cheikh' and 'lang' are inserted into inline <script> tags without sanitization. An attacker with Contributor or higher privileges can craft shortcode attributes that break out of the JavaScript string and inject arbitrary script code. The injected script runs whenever a user visits a page containing the shortened content, allowing theft of credentials, session hijacking, or defacement.

Affected Systems

Vulnerability affects the Karim42 'Quran Live Multilanguage' plugin for WordPress, all versions up to and including 1.0.3. Any site running these versions is at risk.

Risk and Exploitability

CVSS score of 6.4 indicates moderate impact, and the vulnerability is not listed in CISA KEV and has no EPSS available, suggesting limited public exploitation data. The attack requires an authenticated Contributor+ user to add or edit content with malicious shortcode attributes; once injected, the script is stored server‑side and executed for all visitors, leading to a wide exposure surface. Because the attacker must log in, the risk is moderate but still significant for sites that allow wide Contributor permissions.

Generated by OpenCVE AI on April 22, 2026 at 09:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Quran Live Multilanguage plugin to the newest release that sanitizes shortcode attributes.
  • If an update is unavailable, restrict the Contributor role to prevent adding or editing shortcodes or remove the plugin from the production environment.
  • Review existing posts and pages for the 'cheikh' and 'lang' attributes and sanitize or delete any that contain untrusted content.

Generated by OpenCVE AI on April 22, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Karim42
Karim42 quran Live Multilanguage
Wordpress
Wordpress wordpress
Vendors & Products Karim42
Karim42 quran Live Multilanguage
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran_live_render() function of quran-live.php receives shortcode attributes and passes them directly through shortcode_atts() and extract() without any sanitization. These values are then passed to Render_Quran_Live::render_verse_quran_live() where they are echoed directly into inline <script> blocks using PHP short tags (<?=$cheikh;?> and <?=$lang;?>) at lines 191, 216, 217, 245, and 246 of Class_QuranLive.php. Since the output occurs inside a JavaScript context within <script> tags, an attacker can break out of the JavaScript string and inject arbitrary script code. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Quran Live Multilanguage <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Karim42 Quran Live Multilanguage
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T15:31:29.305Z

Reserved: 2026-03-12T19:52:43.714Z

Link: CVE-2026-4074

cve-icon Vulnrichment

Updated: 2026-04-22T15:26:19.688Z

cve-icon NVD

Status : Received

Published: 2026-04-22T09:16:21.947

Modified: 2026-04-22T09:16:21.947

Link: CVE-2026-4074

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:43:59Z

Weaknesses