{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14164", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T21:15:22.716Z", "datePublished": "2025-12-20T03:20:21.632Z", "dateUpdated": "2026-04-08T16:47:48.500Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:48.500Z"}, "affected": [{"vendor": "edckwt", "product": "Quran Gateway", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Quran Gateway plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing nonce validation in the quran_gateway_options function. This makes it possible for unauthenticated attackers to modify the plugin's display settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Quran Gateway <= 1.5 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e16da38-709a-4b9a-9f00-efe8459a1318?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-gateway/trunk/admin.php#L457"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-gateway/tags/1.5/admin.php#L457"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2025-12-19T15:07:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T16:14:44.042316Z", "id": "CVE-2025-14164", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T16:15:04.415Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14164", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T16:14:44.042316Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T16:14:51.405Z"}}], "cna": {"title": "Quran Gateway <= 1.5 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "edckwt", "product": "Quran Gateway", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-19T15:07:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e16da38-709a-4b9a-9f00-efe8459a1318?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-gateway/trunk/admin.php#L457"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-gateway/tags/1.5/admin.php#L457"}], "descriptions": [{"lang": "en", "value": "The Quran Gateway plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing nonce validation in the quran_gateway_options function. This makes it possible for unauthenticated attackers to modify the plugin's display settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:48.500Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14164", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:47:48.500Z", "dateReserved": "2025-12-05T21:15:22.716Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-20T03:20:21.632Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Quran Gateway plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing nonce validation in the quran_gateway_options function. This makes it possible for unauthenticated attackers to modify the plugin's display settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-14164", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-20T04:16:07.687", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-gateway/tags/1.5/admin.php#L457"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-gateway/trunk/admin.php#L457"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e16da38-709a-4b9a-9f00-efe8459a1318?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:00:07.969813+00:00", "value": {"mitigation_remediation": ["Upgrade the Quran Gateway plugin to a release newer than 1.5 where the CSRF issue is fixed. If no update is available, uninstall the plugin entirely.", "Configure the WordPress security plugin or Web Application Firewall to block unauthenticated POST requests to the plugin\u2019s admin endpoint or to enforce presence of a nonce token.", "Educate site administrators to avoid clicking unknown links or to verify the source of any links that seem to modify site settings."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized configuration changes via CSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of the Quran Gateway plugin up to and including version 1.5, distributed by the vendor edckwt. Systems running WordPress with this plugin installed are affected, regardless of the WordPress core version. The vendor\u2019s product name is Quran Gateway; no other vendors are impacted.", "description_and_impact": "The Quran Gateway plugin for WordPress suffers from a Cross\u2011Site Request Forgery flaw caused by a missing nonce check in its settings update handler. This flaw allows an attacker who can trick a site administrator into clicking a crafted link to change the plugin\u2019s display settings without authentication. The consequence is a loss of integrity of configuration data; affected settings may redirect users or alter content presentation, potentially impacting user experience and trust. No remote code execution or data exfiltration is provided by the flaw, but the integrity impact can be significant when the plugin controls key on\u2011site text or redirects.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, largely because the flaw requires the victim to be an authenticated administrator. The EPSS score of less than 1\u202f% suggests a very low current exploitation probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is inferred to be an HTTP request that an administrator unknowingly submits, perhaps through a malicious link or embed. Exploitation would require social engineering of a site admin, and the damage is limited to configuration changes rather than full server compromise."}}}}, "created": "2025-12-21T21:12:35.499664+00:00", "updated": "2026-04-21T17:00:12.334924+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}