Plataforma
wordpress
Componente
quran-translations-by-edc
Corregido en
1.7.1
1.7.1
CVE-2026-4141 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Quran Translations plugin for WordPress. This vulnerability allows unauthenticated attackers to modify plugin settings, potentially altering the display of features like PDF, RSS, and media player links. The issue impacts versions of the plugin up to and including 1.7, and a fix is available in subsequent releases.
An attacker could leverage this CSRF vulnerability to manipulate the plugin's configuration without requiring authentication. This could involve disabling essential features, altering display settings, or potentially injecting malicious content if the plugin's settings influence content generation. The impact is primarily focused on the appearance and functionality of the plugin within the WordPress site, but could lead to user confusion or, in more complex scenarios, be a stepping stone for further attacks. The blast radius is limited to the specific WordPress site using the vulnerable plugin.
This vulnerability was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No Proof of Concept (PoC) code has been publicly released. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Quran Translations plugin, particularly those running versions 1.7 or earlier, are at risk. Shared hosting environments where plugin updates are not consistently managed are also at increased risk, as are sites with weak access controls to the WordPress admin panel.
• wordpress / composer / npm:
grep -r 'quran_playlist_options' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=inactive | grep quran-translations• wordpress / composer / npm:
wp plugin list | grep quran-translationsdisclosure
Estado del Exploit
EPSS
0.01% (3% percentil)
CISA SSVC
Vector CVSS
The primary mitigation is to upgrade the Quran Translations plugin to a version newer than 1.7, where the nonce validation issue has been addressed. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out POST requests to the plugin's settings page that lack proper CSRF tokens. Additionally, restrict access to the plugin's settings page to authenticated administrators only. Verify the upgrade by accessing the plugin's settings page and confirming that POST requests now include valid nonce tokens.
No se dispone de ningún parche conocido. Por favor, revise los detalles de la vulnerabilidad en profundidad y emplee mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-4141 is a Cross-Site Request Forgery vulnerability in the Quran Translations WordPress plugin, allowing attackers to modify settings without authentication in versions up to 1.7.
You are affected if your WordPress site uses the Quran Translations plugin version 1.7 or earlier. Upgrade to a patched version to resolve the issue.
Upgrade the Quran Translations plugin to a version newer than 1.7. Consider WAF rules and restricted access to the settings page as temporary mitigations.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-4141.
Check the official Quran Translations plugin page on WordPress.org for updates and security advisories.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.