CVE-2025-13360 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Quantic Social Image Hover plugin for WordPress, versions up to and including 1.0.8. The root cause is the absence of nonce validation on the settings update endpoint, a critical security control that prevents unauthorized state-changing requests. Without nonce verification, attackers can craft malicious URLs or web pages that, when visited by a logged-in WordPress administrator, cause the plugin’s settings to be altered without consent. This can lead to injection of malicious web scripts, potentially enabling further attacks such as persistent cross-site scripting (XSS) or manipulation of site behavior. The vulnerability does not require the attacker to be authenticated but does require the administrator to interact with the malicious content (user interaction). The CVSS v3.1 score is 4.3 (medium), reflecting the limited impact on confidentiality and availability but a moderate impact on integrity. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. The plugin is developed by monkeyboz and is used primarily on WordPress sites to enhance social image hover effects, which may limit the scope but still poses a risk to affected sites.

For European organizations, this vulnerability could lead to unauthorized modification of plugin settings and injection of malicious scripts on WordPress sites using the Quantic Social Image Hover plugin. This may result in defacement, redirection to malicious sites, or further exploitation through script injection. While the direct impact on confidentiality and availability is low, the integrity of the website’s content and user trust can be compromised. Organizations relying on WordPress for public-facing websites or intranet portals are at risk, especially if administrators are not trained to recognize phishing or social engineering attempts that could trigger this vulnerability. The attack vector requires user interaction, which somewhat limits mass exploitation but targeted attacks against high-value sites remain a concern. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

To mitigate this vulnerability, European organizations should immediately update the Quantic Social Image Hover plugin to a patched version once available. In the absence of an official patch, administrators should restrict access to the WordPress admin panel to trusted IP addresses and enforce multi-factor authentication to reduce the risk of compromised credentials. Implementing web application firewalls (WAFs) with rules to detect and block CSRF attack patterns can provide additional protection. Educate site administrators about the risks of clicking on unsolicited links and the importance of verifying URLs before interaction. Additionally, site owners can temporarily disable or remove the plugin if it is not critical to operations until a secure version is released. Monitoring for unusual changes in plugin settings or unexpected script injections can help detect exploitation attempts early.