[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyPUMUgGho8MFaBnD_H1urPWAKd2I0tPDXtaCa5FcCig":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4141","quran-translations-cross-site-request-forgery-to-playlist-settings-form","Quran Translations \u003C= 1.7 - Cross-Site Request Forgery to Playlist Settings Form","The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quran_playlist_options() function that handles the plugin's settings page. The function processes POST requests to update plugin options via update_option() without any wp_nonce_field() in the form or wp_verify_nonce()\u002Fcheck_admin_referer() verification before processing. This makes it possible for unauthenticated attackers to modify plugin settings (toggling display options for PDF, RSS, podcast, media player links, playlist title, and playlist code) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","quran-translations-by-edc",null,"\u003C=1.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-07 17:37:39","2026-04-08 06:43:42",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe30379bf-0ea1-4443-81bb-4337a0311ed3?source=api-prod",[],"researched",false,3,"This research plan outlines the technical steps required to exploit **CVE-2026-4141**, a Cross-Site Request Forgery (CSRF) vulnerability in the **Quran Translations** plugin for WordPress.\n\n## 1. Vulnerability Summary\nThe **Quran Translations** plugin (versions \u003C= 1.7) contains a CSRF vulnerability in its settings management logic. The function `quran_playlist_options()` (inferred) responsible for rendering and processing the plugin's settings page fails to implement nonce validation. Specifically, it processes `POST` requests and updates plugin options via `update_option()` without verifying a cryptographic nonce using `check_admin_referer()` or `wp_verify_nonce()`. \n\nAn attacker can exploit this by tricking an authenticated administrator into submitting a forged request, allowing the attacker to change critical plugin settings, such as the playlist title or injected playlist code.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoint**: `\u002Fwp-admin\u002Fadmin.php?page=quran_playlist` (slug inferred from function name `quran_playlist_options`).\n- **HTTP Method**: `POST`.\n- **Target Function**: `quran_playlist_options()`\n- **Vulnerable Sink**: `update_option()`.\n- **Authentication**: Requires a site administrator to be logged in (targeted via CSRF).\n- **Payload Parameters** (Inferred based on description):\n    - `playlist_title` or `quran_playlist_title`\n    - `playlist_code` or `quran_playlist_code`\n    - `show_pdf` \u002F `show_rss` \u002F `show_podcast` \u002F `show_media_player`\n    - A submit\u002Fsave parameter (e.g., `save_quran_options`).\n\n## 3. Code Flow\n1. **Hook Registration**: The plugin likely registers an admin menu page via the `admin_menu` hook:\n   ```php\n   add_action('admin_menu', 'quran_translations_menu');\n   function quran_translations_menu() {\n       add_options_page('Quran Playlist', 'Quran Playlist', 'manage_options', 'quran_playlist', 'quran_playlist_options');\n   }\n   ```\n2. **Execution**: When the administrator visits the settings page or a `POST` request is sent to that slug, `quran_playlist_options()` is executed.\n3. **Processing (Vulnerable)**: The function checks for `POST` data and calls `update_option()` directly:\n   ```php\n   function quran_playlist_options() {\n       if ( isset( $_POST['submit_options_check'] ) ) { \u002F\u002F Inferred trigger\n           \u002F\u002F MISSING: check_admin_referer('action_name');\n           update_option('quran_playlist_title', $_POST['playlist_title']);\n           update_option('quran_playlist_code', $_POST['playlist_code']);\n           \u002F\u002F ... other options\n       }\n       \u002F\u002F Render the form...\n   }\n   ```\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required for this exploit.** \nThe vulnerability exists specifically because the plugin **does not** implement or verify nonces. The `wp_nonce_field()` is missing from the form, and the backend processing lacks `check_admin_referer()` or `wp_verify_nonce()`.\n\nTo confirm this, the agent should:\n1. Navigate to the settings page as an admin: `browser_navigate(\"\u002Fwp-admin\u002Fadmin.php?page=quran_playlist\")`.\n2. Check the HTML source for a hidden input field with `name=\"_wpnonce\"`. Its absence confirms the vulnerability.\n\n## 5. Exploitation Strategy\nThe goal is to change the `playlist_title` to a malicious string (e.g., `\"CSRF_EXPLOITED\"`) and the `playlist_code` to a script block.\n\n### Step 1: Identify Parameter Names\nNavigate to the settings page and extract the exact `name` attributes for the form fields.\n```javascript\n\u002F\u002F Run in browser_eval\nconst fields = Array.from(document.querySelectorAll('input, textarea')).map(i => i.name);\nconsole.log(fields);\n```\n\n### Step 2: Craft and Send Forged Request\nUsing the `http_request` tool with the admin's session cookies, perform a `POST` request to the settings page.\n\n**Request Details**:\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=quran_playlist` (Inferred slug)\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**: (Adjust parameter names based on Step 1)\n  ```\n  playlist_title=VULNERABLE_TITLE&playlist_code=\u003Cscript>alert(1)\u003C\u002Fscript>&submit=Save+Changes\n  ```\n\n## 6. Test Data Setup\n1. **Plugin Installation**: Ensure the `quran-translations-by-edc` plugin version \u003C= 1.7 is active.\n2. **Admin Access**: The exploitation requires the `http_request` tool to use the administrator's cookies. Ensure the agent has logged in via `browser_navigate` first.\n3. **Initial State**: Verify current settings: `wp option get quran_playlist_title` (or the correct option name).\n\n## 7. Expected Results\n- The HTTP response from the `POST` request should be a `200 OK` or a `302 Redirect` back to the settings page.\n- The response body of the settings page should now display the updated values in the input fields.\n- The `update_option` calls will persist the new values in the WordPress database.\n\n## 8. Verification Steps\nAfter sending the exploit request, verify the state change using WP-CLI:\n```bash\n# Verify the title was changed\nwp option get quran_playlist_title\n\n# Verify the playlist code was changed (potentially containing XSS)\nwp option get quran_playlist_code\n```\nAdditionally, visit the frontend where the playlist is rendered (e.g., a page with the `[quran_playlist]` shortcode) to see if the modified values appear.\n\n## 9. Alternative Approaches\nIf the plugin uses `admin-post.php` instead of a self-submitting settings page:\n- **Target URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-post.php`\n- **Additional Parameter**: `action=update_quran_playlist` (or similar).\n\nIf the settings are handled via a specialized AJAX handler (though less likely for a settings form in this plugin type):\n- **Target URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Body**: `action=quran_save_settings&...` (without nonce).","The Quran Translations plugin for WordPress (versions up to 1.7) is vulnerable to Cross-Site Request Forgery (CSRF) because it fails to perform nonce validation on its settings management page. This allows unauthenticated attackers to modify plugin settings, such as the playlist title and injected playlist code, by tricking a logged-in administrator into submitting a forged POST request.","\u002F**\n * Inferred logic for the settings handler in quran-translations-by-edc\n *\u002F\nfunction quran_playlist_options() {\n    if ( isset( $_POST['submit_options_check'] ) ) { \n        \u002F\u002F MISSING: check_admin_referer() or wp_verify_nonce()\n        update_option('quran_playlist_title', $_POST['playlist_title']);\n        update_option('quran_playlist_code', $_POST['playlist_code']);\n        update_option('show_pdf', $_POST['show_pdf']);\n        update_option('show_rss', $_POST['show_rss']);\n        update_option('show_podcast', $_POST['show_podcast']);\n        update_option('show_media_player', $_POST['show_media_player']);\n    }\n    \n    \u002F\u002F In the form rendering part of the same function:\n    ?>\n    \u003Cform method=\"post\" action=\"\">\n        \u003C!-- MISSING: wp_nonce_field() -->\n        \u003Cinput type=\"text\" name=\"playlist_title\" value=\"\u003C?php echo get_option('quran_playlist_title'); ?>\">\n        \u003Ctextarea name=\"playlist_code\">\u003C?php echo get_option('quran_playlist_code'); ?>\u003C\u002Ftextarea>\n        \u003Cinput type=\"submit\" name=\"submit_options_check\" value=\"Save Changes\">\n    \u003C\u002Fform>\n    \u003C?php\n}","--- a\u002Fquran-translations.php\n+++ b\u002Fquran-translations.php\n@@ -3,6 +3,9 @@\n function quran_playlist_options() {\n     if ( isset( $_POST['submit_options_check'] ) ) {\n+        if ( ! isset( $_POST['quran_playlist_nonce'] ) || ! wp_verify_nonce( $_POST['quran_playlist_nonce'], 'quran_save_playlist_options' ) ) {\n+            wp_die( 'Security check failed' );\n+        }\n         update_option('quran_playlist_title', $_POST['playlist_title']);\n         update_option('quran_playlist_code', $_POST['playlist_code']);\n         \u002F\u002F ... other updates\n@@ -15,6 +18,7 @@\n     ?>\n     \u003Cform method=\"post\" action=\"\">\n+        \u003C?php wp_nonce_field( 'quran_save_playlist_options', 'quran_playlist_nonce' ); ?>\n         \u003Cinput type=\"text\" name=\"playlist_title\" value=\"\u003C?php echo get_option('quran_playlist_title'); ?>\">\n         \u003Cinput type=\"submit\" name=\"submit_options_check\" value=\"Save Changes\">\n     \u003C\u002Fform>","The exploit targets the plugin's settings page, typically located at \u002Fwp-admin\u002Fadmin.php?page=quran_playlist. Since the plugin does not implement any nonce checks or referer verification when processing POST requests to this page, an attacker can craft a malicious HTML form containing parameters like 'playlist_title', 'playlist_code', and 'submit_options_check'. By hosting this form on an external site and tricking an authenticated administrator into visiting it (e.g., via a phishing link or an image tag trigger), the browser will automatically submit the POST request with the administrator's session cookies, successfully updating the plugin options with the attacker's values without the admin's consent.","gemini-3-flash-preview","2026-04-17 20:37:43","2026-04-17 20:38:00",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquran-translations-by-edc\u002Ftags"]