The Quantic Social Image Hover plugin for WordPress, developed by monkeyboz, suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-13360. This vulnerability exists in all versions up to and including 1.0.8 due to the absence of nonce validation on the settings update endpoint. Nonce validation is a security mechanism used in WordPress to ensure that requests to modify settings originate from legitimate users and not from forged requests. Without this protection, an attacker can craft a malicious link or webpage that, when visited by a site administrator, triggers an unauthorized request to update the plugin’s settings. This can lead to injection of malicious web scripts or other unauthorized configuration changes. The vulnerability does not require the attacker to be authenticated, but it does require the targeted administrator to interact with the malicious content (user interaction). The CVSS v3.1 base score is 4.3, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. No known exploits have been reported in the wild, and no official patches have been published as of the vulnerability disclosure date (December 5, 2025). The vulnerability falls under CWE-352, which is a common web security weakness related to CSRF attacks.

For European organizations running WordPress sites with the Quantic Social Image Hover plugin, this vulnerability poses a risk of unauthorized modification of plugin settings and potential injection of malicious scripts. Such changes can undermine the integrity of the website, potentially leading to defacement, redirection to malicious sites, or the execution of malicious code in the context of site visitors or administrators. While the vulnerability does not directly compromise confidentiality or availability, the injected scripts could be leveraged for phishing, session hijacking, or further exploitation. The requirement for administrator interaction reduces the likelihood of widespread automated exploitation but does not eliminate risk, especially in environments where administrators may be targeted via spear-phishing or social engineering. Given the widespread use of WordPress in Europe, organizations with limited security awareness or lacking strict administrative controls are particularly vulnerable. The absence of patches means organizations must rely on compensating controls until an update is available.

European organizations should immediately implement compensating controls to mitigate this vulnerability. These include: 1) Restricting administrative access to trusted networks and enforcing multi-factor authentication (MFA) for all WordPress administrators to reduce the risk of successful social engineering. 2) Educating administrators about the risks of clicking on unsolicited or suspicious links, especially those that could trigger configuration changes. 3) Temporarily disabling or removing the Quantic Social Image Hover plugin if it is not critical to site functionality until a patched version is released. 4) Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious POST requests targeting the plugin’s settings endpoint. 5) Monitoring WordPress logs for unusual configuration changes or administrative actions. 6) Keeping WordPress core and all plugins up to date and subscribing to vendor security advisories for timely patch application once available. 7) Implementing Content Security Policy (CSP) headers to limit the impact of any injected scripts. These targeted measures go beyond generic advice by focusing on reducing attack surface and administrator exposure.