Plattform
wordpress
Komponente
quran-gateway
Behoben in
1.5.1
CVE-2025-14164 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Quran Gateway plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's display settings by crafting malicious requests. The vulnerability impacts versions 0.0.0 through 1.5, and a fix is available in a subsequent release.
An attacker exploiting this CSRF vulnerability could trick a WordPress administrator into unknowingly executing actions that modify the Quran Gateway plugin's configuration. This could involve altering the plugin's appearance, functionality, or even injecting malicious code through configuration options. While the direct impact might seem limited to the plugin itself, a compromised plugin can be a stepping stone for further attacks on the WordPress site, potentially leading to data breaches or complete site takeover. The ability to modify display settings could also be used to deface the website or redirect users to malicious sites.
This vulnerability was publicly disclosed on 2025-12-20. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively low CVSS score and lack of public exploits, the probability of active exploitation is currently considered low, but vigilance is still advised.
WordPress websites utilizing the Quran Gateway plugin, particularly those with multiple administrators or shared hosting environments, are at increased risk. Sites with outdated plugin versions and inadequate security practices are especially vulnerable.
• wordpress / composer / npm:
grep -r "quran_gateway_options" /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=quran_gateway_options | grep -i "csrf token"disclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-14164 is to upgrade the Quran Gateway plugin to a version that includes the necessary nonce validation. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the qurangatewayoptions function. Additionally, carefully review any unexpected changes to the plugin's settings and restrict administrator access to only those who require it. After upgrading, confirm the fix by attempting a CSRF attack against the plugin's settings page and verifying that the request is rejected.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability eingehend und setzen Sie Mitigationen basierend auf der Risikobereitschaft Ihrer Organisation ein. Es kann am besten sein, die betroffene Software zu deinstallieren und einen Ersatz zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14164 is a Cross-Site Request Forgery (CSRF) vulnerability in the Quran Gateway WordPress plugin, allowing attackers to modify settings via forged requests.
If you are using Quran Gateway plugin versions 0.0.0 through 1.5, you are potentially affected by this vulnerability.
Upgrade the Quran Gateway plugin to a version that includes nonce validation. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
Currently, there is no evidence of active exploitation, but vigilance is still recommended.
Refer to the official Quran Gateway plugin website or WordPress plugin repository for the latest advisory and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.