Platform
wordpress
Component
imaq-core
Fixed in
1.2.2
CVE-2025-13363 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the IMAQ CORE plugin for WordPress. This flaw allows unauthenticated attackers to modify the plugin's URL structure settings by tricking an administrator into performing a malicious action. The vulnerability impacts versions 1.0.0 through 1.2.1, and a patch is expected to be released by the vendor.
A successful CSRF attack could allow an attacker to manipulate the IMAQ CORE plugin's configuration without authentication. This could lead to unexpected behavior on the website, potentially impacting SEO, redirecting users to malicious sites, or altering the plugin's functionality. The attacker needs to craft a malicious request and entice a site administrator to execute it, typically through a crafted link or form. The blast radius is limited to the impact of the plugin's altered settings, but could still cause significant disruption to a WordPress site.
This vulnerability was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been released at the time of writing, but the relatively simple nature of CSRF vulnerabilities suggests a PoC could emerge quickly. The vulnerability is not currently listed on the CISA KEV catalog. Exploitation probability is considered medium due to the ease of CSRF exploitation and the plugin's potential user base.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13363 is to upgrade to a patched version of the IMAQ CORE plugin as soon as it becomes available. Until a patch is released, consider implementing stricter access controls for administrators, such as requiring multi-factor authentication (MFA). Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of defense. Review WordPress user roles and permissions to ensure administrators only have the necessary privileges. After upgrading, verify the plugin's URL structure settings have not been altered.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13363 is a Cross-Site Request Forgery (CSRF) vulnerability in the IMAQ CORE WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if your WordPress site uses the IMAQ CORE plugin in versions 1.0.0 through 1.2.1.
Upgrade to the latest version of the IMAQ CORE plugin as soon as a patch is released. Implement stricter administrator access controls as a temporary measure.
There is no confirmed active exploitation at this time, but the vulnerability's nature suggests potential for exploitation.
Check the IMAQ CORE plugin's official website or WordPress plugin repository for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.