平台
wordpress
组件
tw-image-hover-share
修复版本
1.0.9
CVE-2025-13360 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Quantic Social Image Hover plugin for WordPress. This flaw allows unauthenticated attackers to modify the plugin's settings, potentially leading to the injection of malicious web scripts. The vulnerability impacts versions 1.0.0 through 1.0.8, and a fix is expected to be released by the vendor.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to manipulate the Quantic Social Image Hover plugin's configuration without authentication. By crafting a malicious request and tricking a site administrator into clicking a link or visiting a compromised page, an attacker can alter plugin settings. This could involve injecting arbitrary JavaScript code, redirecting users to phishing sites, or modifying the plugin’s behavior to serve malicious content. The blast radius extends to all users of the affected WordPress site, particularly administrators who are more likely to interact with plugin settings.
This vulnerability was publicly disclosed on 2025-12-05. Currently, there are no known public proof-of-concept exploits available. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Quantic Social Image Hover plugin, particularly those with administrative access granted to multiple users or those lacking robust security practices, are at risk. Shared hosting environments where plugin updates are managed centrally may also be vulnerable if the plugin is not promptly updated across all sites.
• wordpress / composer / npm:
grep -r 'social_image_hover_settings_update' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep Quantic Social Image Hover• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=social_image_hover_settings_update | grep -i '200 ok'disclosure
漏洞利用状态
EPSS
0.02% (3% 百分位)
CISA SSVC
CVSS 向量
The immediate mitigation for CVE-2025-13360 is to upgrade the Quantic Social Image Hover plugin to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting access to plugin settings pages to authenticated administrators only. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide a layer of protection. Regularly review plugin settings for any unauthorized changes. After upgrading, verify the plugin's settings have been restored to their intended configuration and that no malicious scripts have been injected.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13360 is a Cross-Site Request Forgery (CSRF) vulnerability in the Quantic Social Image Hover WordPress plugin, allowing attackers to modify settings via forged requests.
If you are using Quantic Social Image Hover versions 1.0.0 through 1.0.8, you are potentially affected by this vulnerability.
Upgrade the Quantic Social Image Hover plugin to the latest available version as soon as a patch is released. Implement temporary workarounds like restricting access to plugin settings until then.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and patch release.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。