CVE-2026-8845

Vulnerability

The Islamic Database plugin for WordPress, version 1.0 and earlier, contains a Stored Cross-Site Scripting (XSS) vulnerability in the islamicDB-roqya shortcode. The islamicDB_sc_quran_qari_roqya() function at lines 561-567 of islamic_database.php directly concatenates user-supplied width and height shortcode attributes into HTML iframe attributes without proper sanitization or output escaping [1][2]. The affected shortcode is registered via add_shortcode('islamicDB-roqya', ...).

Exploitation

An attacker with at least Contributor-level access to a WordPress site can craft a post or page containing the [islamicDB-roqya] shortcode with malicious width or height attribute values. For example, setting width="100%" onload="alert('XSS')" would inject arbitrary JavaScript. The injected shortcode parameters are stored in the WordPress database and rendered on page load without further sanitization, causing the script to execute in the browser of any user viewing the affected page.

Impact

Successful exploitation allows an authenticated attacker with contributor privileges or higher to inject arbitrary web scripts (JavaScript) into WordPress pages. This Stored XSS can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive user data. The script executes whenever a victim accesses the compromised page, and the attacker does not need additional user interaction beyond the victim's normal visit.

Mitigation

No patched version has been released as of the publication date (2026-05-27). The affected version is 1.0, the only released version. Users should remove or disable the 'Islamic Database' plugin until a security update is available. A workaround is to restrict contributor-level access to trusted users only, but this does not fully mitigate the vulnerability. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.