Description
The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quran_playlist_options() function that handles the plugin's settings page. The function processes POST requests to update plugin options via update_option() without any wp_nonce_field() in the form or wp_verify_nonce()/check_admin_referer() verification before processing. This makes it possible for unauthenticated attackers to modify plugin settings (toggling display options for PDF, RSS, podcast, media player links, playlist title, and playlist code) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of plugin settings via CSRF
Action: Patch Plugin
AI Analysis

Impact

The Quran Translations plugin for WordPress contains a CSRF weakness that permits unauthenticated attackers to submit forged POST requests to the plugin's settings page. Because the application lacks nonce verification, any request reaching the update_option() call will alter plugin options. An attacker could therefore flip controls such as PDF, RSS, podcast, media player links, or change the playlist title and code, effectively hijacking the public display configuration of the site.

Affected Systems

This flaw affects the WordPress plugin Quran Translations, versions 1.7 and earlier. End‑users running any of those releases, especially administrators who have permission to modify the plugin’s configuration, are vulnerable. The issue exists only in the plugin code and does not impact core WordPress or other plugins.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity threat, and the EPSS score is not publicly available. The vulnerability is not currently listed in CISA’s KEV catalog. Attackers need only craft a link or page that an administrator will click; no privileged credentials are required. If an administrator submits the forged request, the plugin settings will change at the site level, potentially exposing the site to further misuse or operational disruption.

Generated by OpenCVE AI on April 8, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of the Quran Translations plugin that includes nonce verification
  • Verify that the settings form now includes a nonce field and that verification occurs before updating options
  • If immediate upgrade is impossible, disable the plugin’s settings page or restrict that capability to a higher privileged role
  • Deploy a web application firewall or CSRF protection plugin to monitor and block forged POST requests to WordPress settings endpoints

Generated by OpenCVE AI on April 8, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Edckwt
Edckwt quran Translations
Wordpress
Wordpress wordpress
Vendors & Products Edckwt
Edckwt quran Translations
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quran_playlist_options() function that handles the plugin's settings page. The function processes POST requests to update plugin options via update_option() without any wp_nonce_field() in the form or wp_verify_nonce()/check_admin_referer() verification before processing. This makes it possible for unauthenticated attackers to modify plugin settings (toggling display options for PDF, RSS, podcast, media player links, playlist title, and playlist code) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Quran Translations <= 1.7 - Cross-Site Request Forgery to Playlist Settings Form
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Edckwt Quran Translations
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:19.724Z

Reserved: 2026-03-13T15:33:40.102Z

Link: CVE-2026-4141

cve-icon Vulnrichment

Updated: 2026-04-08T16:00:59.209Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T07:16:22.233

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-4141

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:34Z

Weaknesses