平台
wordpress
组件
imaq-core
修复版本
1.2.2
CVE-2025-13363 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the IMAQ CORE plugin for WordPress. This flaw allows unauthenticated attackers to modify the plugin's URL structure settings by tricking an administrator into performing a malicious action. The vulnerability impacts versions 1.0.0 through 1.2.1, and a patch is expected to be released by the vendor.
A successful CSRF attack could allow an attacker to manipulate the IMAQ CORE plugin's configuration without authentication. This could lead to unexpected behavior on the website, potentially impacting SEO, redirecting users to malicious sites, or altering the plugin's functionality. The attacker needs to craft a malicious request and entice a site administrator to execute it, typically through a crafted link or form. The blast radius is limited to the impact of the plugin's altered settings, but could still cause significant disruption to a WordPress site.
This vulnerability was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been released at the time of writing, but the relatively simple nature of CSRF vulnerabilities suggests a PoC could emerge quickly. The vulnerability is not currently listed on the CISA KEV catalog. Exploitation probability is considered medium due to the ease of CSRF exploitation and the plugin's potential user base.
WordPress websites using the IMAQ CORE plugin, particularly those with multiple administrators or shared hosting environments, are at risk. Sites where administrators frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r "IMAQ CORE" /var/www/html/wp-content/plugins/
wp plugin list | grep IMAQ CORE• generic web:
curl -I https://example.com/wp-admin/admin-ajax.php?action=update_url_structure&new_url=https://evil.com | grep -i "200"disclosure
漏洞利用状态
EPSS
0.02% (3% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-13363 is to upgrade to a patched version of the IMAQ CORE plugin as soon as it becomes available. Until a patch is released, consider implementing stricter access controls for administrators, such as requiring multi-factor authentication (MFA). Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of defense. Review WordPress user roles and permissions to ensure administrators only have the necessary privileges. After upgrading, verify the plugin's URL structure settings have not been altered.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13363 is a Cross-Site Request Forgery (CSRF) vulnerability in the IMAQ CORE WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if your WordPress site uses the IMAQ CORE plugin in versions 1.0.0 through 1.2.1.
Upgrade to the latest version of the IMAQ CORE plugin as soon as a patch is released. Implement stricter administrator access controls as a temporary measure.
There is no confirmed active exploitation at this time, but the vulnerability's nature suggests potential for exploitation.
Check the IMAQ CORE plugin's official website or WordPress plugin repository for updates and advisories.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。