Platform
wordpress
Component
quran-translations-by-edc
Fixed in
1.7.1
1.7.1
CVE-2026-4141 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Quran Translations plugin for WordPress. This vulnerability allows unauthenticated attackers to modify plugin settings, potentially altering the display of features like PDF, RSS, and media player links. The issue impacts versions of the plugin up to and including 1.7, and a fix is available in subsequent releases.
An attacker could leverage this CSRF vulnerability to manipulate the plugin's configuration without requiring authentication. This could involve disabling essential features, altering display settings, or potentially injecting malicious content if the plugin's settings influence content generation. The impact is primarily focused on the appearance and functionality of the plugin within the WordPress site, but could lead to user confusion or, in more complex scenarios, be a stepping stone for further attacks. The blast radius is limited to the specific WordPress site using the vulnerable plugin.
This vulnerability was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No Proof of Concept (PoC) code has been publicly released. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the Quran Translations plugin to a version newer than 1.7, where the nonce validation issue has been addressed. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out POST requests to the plugin's settings page that lack proper CSRF tokens. Additionally, restrict access to the plugin's settings page to authenticated administrators only. Verify the upgrade by accessing the plugin's settings page and confirming that POST requests now include valid nonce tokens.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4141 is a Cross-Site Request Forgery vulnerability in the Quran Translations WordPress plugin, allowing attackers to modify settings without authentication in versions up to 1.7.
You are affected if your WordPress site uses the Quran Translations plugin version 1.7 or earlier. Upgrade to a patched version to resolve the issue.
Upgrade the Quran Translations plugin to a version newer than 1.7. Consider WAF rules and restricted access to the settings page as temporary mitigations.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-4141.
Check the official Quran Translations plugin page on WordPress.org for updates and security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.