{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4141", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T15:33:40.102Z", "datePublished": "2026-04-08T06:43:42.869Z", "dateUpdated": "2026-04-08T17:29:19.724Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:19.724Z"}, "affected": [{"vendor": "edckwt", "product": "Quran Translations", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quran_playlist_options() function that handles the plugin's settings page. The function processes POST requests to update plugin options via update_option() without any wp_nonce_field() in the form or wp_verify_nonce()/check_admin_referer() verification before processing. This makes it possible for unauthenticated attackers to modify plugin settings (toggling display options for PDF, RSS, podcast, media player links, playlist title, and playlist code) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Quran Translations <= 1.7 - Cross-Site Request Forgery to Playlist Settings Form", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e30379bf-0ea1-4443-81bb-4337a0311ed3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-translations-by-edc/trunk/playlist.php#L143"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-translations-by-edc/tags/1.7/playlist.php#L143"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-translations-by-edc/trunk/playlist.php#L167"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-translations-by-edc/tags/1.7/playlist.php#L167"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-04-07T17:37:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T16:00:54.482587Z", "id": "CVE-2026-4141", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:01:02.522Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4141", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T16:00:54.482587Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:00:59.209Z"}}], "cna": {"title": "Quran Translations <= 1.7 - Cross-Site Request Forgery to Playlist Settings Form", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "edckwt", "product": "Quran Translations", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-07T17:37:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e30379bf-0ea1-4443-81bb-4337a0311ed3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-translations-by-edc/trunk/playlist.php#L143"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-translations-by-edc/tags/1.7/playlist.php#L143"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-translations-by-edc/trunk/playlist.php#L167"}, {"url": "https://plugins.trac.wordpress.org/browser/quran-translations-by-edc/tags/1.7/playlist.php#L167"}], "descriptions": [{"lang": "en", "value": "The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quran_playlist_options() function that handles the plugin's settings page. The function processes POST requests to update plugin options via update_option() without any wp_nonce_field() in the form or wp_verify_nonce()/check_admin_referer() verification before processing. This makes it possible for unauthenticated attackers to modify plugin settings (toggling display options for PDF, RSS, podcast, media player links, playlist title, and playlist code) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:19.724Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4141", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:19.724Z", "dateReserved": "2026-03-13T15:33:40.102Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T06:43:42.869Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quran_playlist_options() function that handles the plugin's settings page. The function processes POST requests to update plugin options via update_option() without any wp_nonce_field() in the form or wp_verify_nonce()/check_admin_referer() verification before processing. This makes it possible for unauthenticated attackers to modify plugin settings (toggling display options for PDF, RSS, podcast, media player links, playlist title, and playlist code) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2026-4141", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T07:16:22.233", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-translations-by-edc/tags/1.7/playlist.php#L143"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-translations-by-edc/tags/1.7/playlist.php#L167"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-translations-by-edc/trunk/playlist.php#L143"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quran-translations-by-edc/trunk/playlist.php#L167"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e30379bf-0ea1-4443-81bb-4337a0311ed3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Quran Translations", "source": "cna", "vendor": "edckwt"}, "product": "quran_translations", "vendor": "edckwt"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T08:21:09.491418+00:00", "value": {"mitigation_remediation": ["Install the latest version of the Quran Translations plugin that includes nonce verification", "Verify that the settings form now includes a nonce field and that verification occurs before updating options", "If immediate upgrade is impossible, disable the plugin\u2019s settings page or restrict that capability to a higher privileged role", "Deploy a web application firewall or CSRF protection plugin to monitor and block forged POST requests to WordPress settings endpoints"], "summary": {"action": "Patch Plugin", "impact": "Unauthorized modification of plugin settings via CSRF"}, "threat_synthesis": {"affected_systems": "This flaw affects the WordPress plugin Quran Translations, versions 1.7 and earlier. End\u2011users running any of those releases, especially administrators who have permission to modify the plugin\u2019s configuration, are vulnerable. The issue exists only in the plugin code and does not impact core WordPress or other plugins.", "description_and_impact": "The Quran Translations plugin for WordPress contains a CSRF weakness that permits unauthenticated attackers to submit forged POST requests to the plugin's settings page. Because the application lacks nonce verification, any request reaching the update_option() call will alter plugin options. An attacker could therefore flip controls such as PDF, RSS, podcast, media player links, or change the playlist title and code, effectively hijacking the public display configuration of the site.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a medium severity threat, and the EPSS score is not publicly available. The vulnerability is not currently listed in CISA\u2019s KEV catalog. Attackers need only craft a link or page that an administrator will click; no privileged credentials are required. If an administrator submits the forged request, the plugin settings will change at the site level, potentially exposing the site to further misuse or operational disruption."}}}}, "created": "2026-04-08T19:31:02.517868+00:00", "updated": "2026-04-08T19:43:34.002359+00:00", "vendors": ["edckwt", "edckwt$PRODUCT$quran_translations", "wordpress", "wordpress$PRODUCT$wordpress"]}