Platform
wordpress
Component
tw-image-hover-share
Fixed in
1.0.9
CVE-2025-13360 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Quantic Social Image Hover plugin for WordPress. This flaw allows unauthenticated attackers to modify the plugin's settings, potentially leading to the injection of malicious web scripts. The vulnerability impacts versions 1.0.0 through 1.0.8, and a fix is expected to be released by the vendor.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to manipulate the Quantic Social Image Hover plugin's configuration without authentication. By crafting a malicious request and tricking a site administrator into clicking a link or visiting a compromised page, an attacker can alter plugin settings. This could involve injecting arbitrary JavaScript code, redirecting users to phishing sites, or modifying the plugin’s behavior to serve malicious content. The blast radius extends to all users of the affected WordPress site, particularly administrators who are more likely to interact with plugin settings.
This vulnerability was publicly disclosed on 2025-12-05. Currently, there are no known public proof-of-concept exploits available. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-13360 is to upgrade the Quantic Social Image Hover plugin to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting access to plugin settings pages to authenticated administrators only. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide a layer of protection. Regularly review plugin settings for any unauthorized changes. After upgrading, verify the plugin's settings have been restored to their intended configuration and that no malicious scripts have been injected.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13360 is a Cross-Site Request Forgery (CSRF) vulnerability in the Quantic Social Image Hover WordPress plugin, allowing attackers to modify settings via forged requests.
If you are using Quantic Social Image Hover versions 1.0.0 through 1.0.8, you are potentially affected by this vulnerability.
Upgrade the Quantic Social Image Hover plugin to the latest available version as soon as a patch is released. Implement temporary workarounds like restricting access to plugin settings until then.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and patch release.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.