Platform
wordpress
Component
quran-gateway
Fixed in
1.5.1
CVE-2025-14164 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Quran Gateway plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's display settings by crafting malicious requests. The vulnerability impacts versions 0.0.0 through 1.5, and a fix is available in a subsequent release.
An attacker exploiting this CSRF vulnerability could trick a WordPress administrator into unknowingly executing actions that modify the Quran Gateway plugin's configuration. This could involve altering the plugin's appearance, functionality, or even injecting malicious code through configuration options. While the direct impact might seem limited to the plugin itself, a compromised plugin can be a stepping stone for further attacks on the WordPress site, potentially leading to data breaches or complete site takeover. The ability to modify display settings could also be used to deface the website or redirect users to malicious sites.
This vulnerability was publicly disclosed on 2025-12-20. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively low CVSS score and lack of public exploits, the probability of active exploitation is currently considered low, but vigilance is still advised.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14164 is to upgrade the Quran Gateway plugin to a version that includes the necessary nonce validation. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the qurangatewayoptions function. Additionally, carefully review any unexpected changes to the plugin's settings and restrict administrator access to only those who require it. After upgrading, confirm the fix by attempting a CSRF attack against the plugin's settings page and verifying that the request is rejected.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14164 is a Cross-Site Request Forgery (CSRF) vulnerability in the Quran Gateway WordPress plugin, allowing attackers to modify settings via forged requests.
If you are using Quran Gateway plugin versions 0.0.0 through 1.5, you are potentially affected by this vulnerability.
Upgrade the Quran Gateway plugin to a version that includes nonce validation. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
Currently, there is no evidence of active exploitation, but vigilance is still recommended.
Refer to the official Quran Gateway plugin website or WordPress plugin repository for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.