Quran Gateway WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Quran Gateway plugin for WordPress, affecting all versions up to and including 1.5. The vulnerability arises from a lack of nonce validation in the 'quran_gateway_options' function, allowing unauthenticated attackers to manipulate the plugin's display settings. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in the plugin's settings, potentially allowing attackers to modify how the Quran is displayed on the site, including its translation and audio features.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the 'quran_gateway_options' function without a valid nonce. This can be done by tricking an administrator into clicking a link that activates the request, such as through a phishing email or a malicious website.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.