The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran_live_render() function of quran-live.php receives shortcode attributes and passes them directly through shortcode_atts() and extract() without any sanitization. These values are then passed to Render_Quran_Live::render_verse_quran_live() where they are echoed directly into inline <script> blocks using PHP short tags (<?=$cheikh;?> and <?=$lang;?>) at lines 191, 216, 217, 245, and 246 of Class_QuranLive.php. Since the output occurs inside a JavaScript context within <script> tags, an attacker can break out of the JavaScript string and inject arbitrary script code. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Quran Live Multilanguage WordPress plugin versions up to 1.0.3 contain a Stored Cross-Site Scripting vulnerability in shortcode attributes that lack proper sanitization and escaping. Attackers can inject malicious JavaScript code through the 'cheikh' and 'lang' parameters, affecting all users viewing pages with vulnerable shortcodes.
تحتوي إضافة Quran Live Multilanguage للإصدارات حتى 1.0.3 على ثغرة XSS مخزنة في دالة quran_live_render() حيث يتم تمرير سمات shortcode مباشرة دون تنظيف أو تجنب. يتم إدراج القيم المضرة مباشرة في كتل JavaScript باستخدام علامات PHP القصيرة، مما يسمح للمهاجمين بحقن أكواد JavaScript عشوائية.
The Quran Live Multilanguage WordPress plugin versions up to 1.0.3 contain a Stored Cross-Site Scripting vulnerability in shortcode attributes that lack proper sanitization and escaping. Attackers can inject malicious JavaScript code through the 'cheikh' and 'lang' parameters, affecting all users viewing pages with vulnerable shortcodes.
Update the Quran Live Multilanguage plugin to version 1.0.4 or later immediately. Implement proper input sanitization using sanitize_text_field() and output escaping using esc_js() or esc_attr() for all shortcode attributes before rendering in JavaScript contexts. Review and audit all shortcode implementations for similar vulnerabilities.
قم بتحديث إضافة Quran Live Multilanguage إلى الإصدار 1.0.4 أو أحدث فوراً. طبق تنظيف المدخلات الصحيح باستخدام sanitize_text_field() وتجنب المخرجات باستخدام esc_js() أو esc_attr() لجميع سمات shortcode قبل العرض في سياقات JavaScript. قم بمراجعة وتدقيق جميع تطبيقات shortcode للبحث عن ثغرات مماثلة.