CVE-2026-4074
Stored XSS in Quran Live WordPress Plugin via Shortcode Attributes
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Quran Live Multilanguage plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 1.0.3. This occurs because the plugin does not properly sanitize or escape user input in the 'cheikh' and 'lang' shortcode attributes. These attributes are passed directly into JavaScript code blocks without validation, allowing an attacker to inject malicious scripts.
Specifically, the quran_live_render() function processes shortcode attributes without sanitization, and these values are echoed inside inline <script> tags in the plugin's PHP files. An attacker with Contributor-level access or higher can exploit this to inject arbitrary JavaScript that executes when users view the affected pages.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of your website. This can lead to several impacts including theft of user credentials, session hijacking, defacement of the website, or distribution of malware.
Since the attack requires Contributor-level access or higher, it means that an authenticated user with limited privileges could escalate their impact by injecting malicious scripts that affect other users visiting the site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via stored cross-site scripting (XSS). This can lead to unauthorized script execution in users' browsers, potentially exposing sensitive user data or session information.
Such unauthorized data exposure or manipulation could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information.
However, the provided information does not explicitly detail the direct effects on compliance or specific regulatory impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying the presence of the Quran Live Multilanguage plugin for WordPress, specifically versions up to and including 1.0.3, and checking for usage of the vulnerable shortcode attributes 'cheikh' and 'lang'.
Since the vulnerability is a Stored Cross-Site Scripting (XSS) via shortcode attributes, you can detect attempts by monitoring HTTP requests or logs for unusual or suspicious input in these shortcode parameters.
There are no specific commands provided in the available resources or CVE description to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or disabling the Quran Live Multilanguage plugin if it is not essential.
If the plugin is required, update it to a version later than 1.0.3 once a patched release is available.
Restrict Contributor-level and higher user access to trusted users only, as the vulnerability requires authenticated users with Contributor-level access or above to exploit.
Monitor and sanitize user inputs related to the 'cheikh' and 'lang' shortcode attributes to prevent injection of malicious scripts.