Vulnerabilities ›

CVE-2026-8845

Medium

CWE-79 — Weakness Type

                    Published: May 27, 2026                      ·  Modified: May 30, 2026                      ·  Source: NVD                

CVSS v3

6.4

🔗 NVD Official

📄 Description (English)

The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied 'width' and 'height' shortcode attributes within the islamicDB_sc_quran_qari_roqya() function, which are concatenated directly into HTML iframe attribute values. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

🤖 AI Executive Summary

The Islamic Database WordPress plugin (v1.0 and earlier) contains a Stored XSS vulnerability in the 'islamicDB-roqya' shortcode that allows authenticated contributors to inject malicious scripts through unsanitized width/height attributes. While requiring contributor-level access, this vulnerability poses a significant risk in multi-user WordPress environments common in Saudi organizations. No patch is currently available, requiring immediate compensating controls.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 28, 2026 09:19

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily affects Saudi organizations using WordPress for Islamic content delivery, Quranic resources, and religious education platforms. Most at-risk sectors include: (1) Government religious affairs agencies and Islamic ministry websites, (2) Educational institutions offering Islamic studies, (3) Healthcare facilities with Islamic counseling portals, (4) Banking sector Islamic finance divisions using WordPress for Sharia-compliant product information, (5) Telecom companies (STC, Mobily) hosting Islamic content services. The risk is elevated in organizations with multiple content contributors where access control may be less stringent.

🏢 Affected Saudi Sectors

Government (Religious Affairs, Islamic Ministry) Education (Islamic Studies Institutions) Healthcare (Islamic Counseling Services) Banking (Islamic Finance Divisions) Telecommunications (Islamic Content Services) Non-Profit (Religious Organizations)

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application (WordPress plugin vulnerability) T1598 - Phishing (via injected malicious scripts in pages) T1566 - Phishing (email with links to compromised pages) T1059 - Command and Scripting Interpreter (JavaScript execution) T1547 - Boot or Logon Initialization Scripts (persistent XSS payload) T1136 - Create Account (potential account creation via injected scripts) T1087 - Account Discovery (credential harvesting via XSS)

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Audit all WordPress installations using Islamic Database plugin v1.0 or earlier across your organization

2. Review user access logs for contributor-level accounts and identify suspicious shortcode usage

3. Disable the 'islamicDB-roqya' shortcode functionality until patched



COMPENSATING CONTROLS:

1. Restrict contributor role permissions: Remove 'edit_posts' capability and use 'pending_review' workflow requiring admin approval

2. Implement Web Application Firewall (WAF) rules to detect and block iframe injection patterns in shortcode attributes

3. Deploy Content Security Policy (CSP) headers: frame-src 'self'; script-src 'self' to prevent inline script execution

4. Enable WordPress security plugins (Wordfence, Sucuri) with real-time malware scanning

5. Implement input validation: Use regex to whitelist only numeric values for width/height (^[0-9]+$)



DETECTION RULES:

1. Monitor database for shortcodes containing 'javascript:', 'onerror=', 'onload=' patterns

2. Log all shortcode attribute modifications by contributor accounts

3. Alert on iframe src attributes containing encoded or suspicious parameters

4. Review post revisions for XSS payload injection attempts



PATCHING STRATEGY:

1. Contact plugin developer for security update timeline

2. Prepare migration plan to alternative Islamic content plugins if no patch released within 30 days

3. Test any available updates in staging environment before production deployment

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون Islamic Database الإصدار 1.0 أو أقدم عبر مؤسستك

2. مراجعة سجلات وصول المستخدمين للحسابات على مستوى المساهم وتحديد استخدام الاختصارات المريبة

3. تعطيل وظيفة اختصار 'islamicDB-roqya' حتى يتم إصلاحها

الضوابط التعويضية:

1. تقييد أذونات دور المساهم: إزالة قدرة 'edit_posts' واستخدام سير عمل 'pending_review' يتطلب موافقة المسؤول

2. تطبيق قواعد جدار الحماية لتطبيقات الويب (WAF) للكشف عن أنماط حقن iframe وحجبها

3. نشر رؤوس سياسة أمان المحتوى (CSP): frame-src 'self'; script-src 'self' لمنع تنفيذ البرامج النصية المضمنة

4. تفعيل مكونات أمان WordPress (Wordfence, Sucuri) مع المسح الفوري للبرامج الضارة

5. تطبيق التحقق من الإدخال: استخدام regex للسماح فقط بالقيم الرقمية للعرض والارتفاع (^[0-9]+$)

قواعد الكشف:

1. مراقبة قاعدة البيانات للاختصارات التي تحتوي على أنماط 'javascript:', 'onerror=', 'onload='

2. تسجيل جميع تعديلات سمات الاختصار بواسطة حسابات المساهمين

3. التنبيه على سمات iframe src التي تحتوي على معاملات مشفرة أو مريبة

4. مراجعة مراجعات المنشورات لمحاولات حقن حمولة XSS

استراتيجية الإصلاح:

1. الاتصال بمطور المكون لمعرفة الجدول الزمني لتحديث الأمان

2. تحضير خطة الهجرة إلى مكونات محتوى إسلامية بديلة إذا لم يتم إصدار تصحيح خلال 30 يوماً

3. اختبار أي تحديثات متاحة في بيئة التدريج قبل نشر الإنتاج

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Information security requirements for supplier relationships (plugin vendor security) ECC 2024 A.14.2.5 - Addressing information security in supplier agreements ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.5.23 - Access control and authentication for web applications

🔵 SAMA CSF

SAMA CSF 1.1 - Governance and Risk Management (vulnerability management program) SAMA CSF 2.2 - Information Security (secure development and patch management) SAMA CSF 3.1 - Operational Resilience (incident detection and response) SAMA CSF 4.1 - Cyber Resilience (threat and vulnerability assessment)

🟡 ISO 27001:2022

ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Supplier security requirements ISO 27001:2022 A.5.23 - Web application access control ISO 27001:2022 A.8.3 - Segregation of duties and access control

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates for all system components PCI DSS 6.5.7 - Cross-site scripting (XSS) prevention PCI DSS 7.1 - Limit access to system components by business need-to-know

🔗 References & Sources 3

🔗

https://plugins.trac.wordpress.org/browser/islamic-database/trunk/islamic_database.php#...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/islamic-database/trunk/islamic_database.php#...

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/98c3762b-9dcd-4931-846e-3f54f...

security@wordfence.com

📊 CVSS Score

6.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.4

CWECWE-79

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-05-27

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-8845

Introduce Yourself

Sign In Required