{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4074", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T19:52:43.714Z", "datePublished": "2026-04-22T07:45:39.289Z", "dateUpdated": "2026-04-22T15:31:29.305Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:39.289Z"}, "affected": [{"vendor": "karim42", "product": "Quran Live Multilanguage", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran_live_render() function of quran-live.php receives shortcode attributes and passes them directly through shortcode_atts() and extract() without any sanitization. These values are then passed to Render_Quran_Live::render_verse_quran_live() where they are echoed directly into inline <script> blocks using PHP short tags (<?=$cheikh;?> and <?=$lang;?>) at lines 191, 216, 217, 245, and 246 of Class_QuranLive.php. Since the output occurs inside a JavaScript context within <script> tags, an attacker can break out of the JavaScript string and inject arbitrary script code. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Quran Live Multilanguage <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/883484dd-d48d-46f9-ae96-223626c50039?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L191"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L191"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L217"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L217"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L246"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L246"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L216"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L216"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L245"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L245"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/quran-live.php#L110"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/quran-live.php#L110"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2026-04-21T19:06:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T15:26:15.634329Z", "id": "CVE-2026-4074", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:31:29.305Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4074", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T15:26:15.634329Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:26:19.688Z"}}], "cna": {"title": "Quran Live Multilanguage <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "karim42", "product": "Quran Live Multilanguage", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-21T19:06:14.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/883484dd-d48d-46f9-ae96-223626c50039?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L191"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L191"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L217"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L217"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L246"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L246"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L216"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L216"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L245"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L245"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/quran-live.php#L110"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/quran-live.php#L110"}], "descriptions": [{"lang": "en", "value": "The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran_live_render() function of quran-live.php receives shortcode attributes and passes them directly through shortcode_atts() and extract() without any sanitization. These values are then passed to Render_Quran_Live::render_verse_quran_live() where they are echoed directly into inline <script> blocks using PHP short tags (<?=$cheikh;?> and <?=$lang;?>) at lines 191, 216, 217, 245, and 246 of Class_QuranLive.php. Since the output occurs inside a JavaScript context within <script> tags, an attacker can break out of the JavaScript string and inject arbitrary script code. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:39.289Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4074", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:31:29.305Z", "dateReserved": "2026-03-12T19:52:43.714Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-22T07:45:39.289Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran_live_render() function of quran-live.php receives shortcode attributes and passes them directly through shortcode_atts() and extract() without any sanitization. These values are then passed to Render_Quran_Live::render_verse_quran_live() where they are echoed directly into inline <script> blocks using PHP short tags (<?=$cheikh;?> and <?=$lang;?>) at lines 191, 216, 217, 245, and 246 of Class_QuranLive.php. Since the output occurs inside a JavaScript context within <script> tags, an attacker can break out of the JavaScript string and inject arbitrary script code. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4074", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:21.947", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L191"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L216"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L217"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L245"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L246"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/quran-live.php#L110"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L191"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L216"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L217"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L245"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L246"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/quran-live.php#L110"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/883484dd-d48d-46f9-ae96-223626c50039?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Quran Live Multilanguage", "source": "cna", "vendor": "karim42"}, "product": "quran_live_multilanguage", "vendor": "karim42"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T09:23:57.907114+00:00", "value": {"mitigation_remediation": ["Update the Quran Live Multilanguage plugin to the newest release that sanitizes shortcode attributes.", "If an update is unavailable, restrict the Contributor role to prevent adding or editing shortcodes or remove the plugin from the production environment.", "Review existing posts and pages for the 'cheikh' and 'lang' attributes and sanitize or delete any that contain untrusted content."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Vulnerability affects the Karim42 'Quran Live Multilanguage' plugin for WordPress, all versions up to and including 1.0.3. Any site running these versions is at risk.", "description_and_impact": "The Quran Live Multilanguage WordPress plugin is vulnerable to stored Cross\u2011Site Scripting because the shortcodes 'cheikh' and 'lang' are inserted into inline <script> tags without sanitization. An attacker with Contributor or higher privileges can craft shortcode attributes that break out of the JavaScript string and inject arbitrary script code. The injected script runs whenever a user visits a page containing the shortened content, allowing theft of credentials, session hijacking, or defacement.", "risk_and_exploitability": "CVSS score of 6.4 indicates moderate impact, and the vulnerability is not listed in CISA KEV and has no EPSS available, suggesting limited public exploitation data. The attack requires an authenticated Contributor+ user to add or edit content with malicious shortcode attributes; once injected, the script is stored server\u2011side and executed for all visitors, leading to a wide exposure surface. Because the attacker must log in, the risk is moderate but still significant for sites that allow wide Contributor permissions."}}}}, "created": "2026-04-22T09:30:13.553563+00:00", "updated": "2026-04-22T11:43:59.871630+00:00", "vendors": ["karim42", "karim42$PRODUCT$quran_live_multilanguage", "wordpress", "wordpress$PRODUCT$wordpress"]}