Quantic Social Image Hover <= 1.0.8 - Cross-Site Request Forgery naar Instellingen Update
Platform
wordpress
Component
tw-image-hover-share
Opgelost in
1.0.9
CVE-2025-13360 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Quantic Social Image Hover plugin for WordPress. This flaw allows unauthenticated attackers to modify the plugin's settings, potentially leading to the injection of malicious web scripts. The vulnerability impacts versions 1.0.0 through 1.0.8, and a fix is expected to be released by the vendor.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The primary impact of this CSRF vulnerability lies in the ability of an attacker to manipulate the Quantic Social Image Hover plugin's configuration without authentication. By crafting a malicious request and tricking a site administrator into clicking a link or visiting a compromised page, an attacker can alter plugin settings. This could involve injecting arbitrary JavaScript code, redirecting users to phishing sites, or modifying the plugin’s behavior to serve malicious content. The blast radius extends to all users of the affected WordPress site, particularly administrators who are more likely to interact with plugin settings.
Uitbuitingscontextwordt vertaald…
This vulnerability was publicly disclosed on 2025-12-05. Currently, there are no known public proof-of-concept exploits available. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Wie Loopt Risicowordt vertaald…
WordPress websites utilizing the Quantic Social Image Hover plugin, particularly those with administrative access granted to multiple users or those lacking robust security practices, are at risk. Shared hosting environments where plugin updates are managed centrally may also be vulnerable if the plugin is not promptly updated across all sites.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
grep -r 'social_image_hover_settings_update' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep Quantic Social Image Hover• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=social_image_hover_settings_update | grep -i '200 ok'Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.02% (3% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The immediate mitigation for CVE-2025-13360 is to upgrade the Quantic Social Image Hover plugin to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting access to plugin settings pages to authenticated administrators only. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide a layer of protection. Regularly review plugin settings for any unauthorized changes. After upgrading, verify the plugin's settings have been restored to their intended configuration and that no malicious scripts have been injected.
Hoe te verhelpen
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-13360 — CSRF in Quantic Social Image Hover?
CVE-2025-13360 is a Cross-Site Request Forgery (CSRF) vulnerability in the Quantic Social Image Hover WordPress plugin, allowing attackers to modify settings via forged requests.
Am I affected by CVE-2025-13360 in Quantic Social Image Hover?
If you are using Quantic Social Image Hover versions 1.0.0 through 1.0.8, you are potentially affected by this vulnerability.
How do I fix CVE-2025-13360 in Quantic Social Image Hover?
Upgrade the Quantic Social Image Hover plugin to the latest available version as soon as a patch is released. Implement temporary workarounds like restricting access to plugin settings until then.
Is CVE-2025-13360 being actively exploited?
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Where can I find the official Quantic Social Image Hover advisory for CVE-2025-13360?
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and patch release.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.