CVE-2026-4074

Name of the Vulnerable Software and Affected Versions Quran Live Multilanguage plugin for WordPress versions prior to 1.0.4

Description Stored Cross-Site Scripting is possible due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran live render() function in quran-live.php receives attributes and passes them through shortcode atts() and extract() without sanitization. These values are then passed to Render Quran Live::render verse quran live() and echoed directly into inline and lang variables. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts that execute when a user accesses the affected page.

Recommendations Update the plugin to a version newer than 1.0.3.