CVE-2026-4074 in Quran Live Multilanguage Pluginالمعلومات

الملخص

بحسب MITRE • 22/04/2026

The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran_live_render() function of quran-live.php receives shortcode attributes and passes them directly through shortcode_atts() and extract() without any sanitization. These values are then passed to Render_Quran_Live::render_verse_quran_live() where they are echoed directly into inline blocks using PHP short tags ( and ) at lines 191, 216, 217, 245, and 246 of Class_QuranLive.php. Since the output occurs inside a JavaScript context within tags, an attacker can break out of the JavaScript string and inject arbitrary script code. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

Wordfence

حجز

12/03/2026

إفشاء

22/04/2026

الاعتدال

تمت الموافقة

إدخال

VDB-358789

EPSS

0.00020

KEV

لا

النشاطات

منخفض

القطاع

Hostingprovider

المصادر

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-4074
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-4074
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-4074/

التالي نظرة عامة السابق

Do you want to use VulDB in your project?

Use the official API to access entries easily!