CVE-2025-13363 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the IMAQ Core plugin for WordPress, versions up to and including 1.2.1. The root cause is the absence of nonce validation in the URL structure settings update functionality, which is a critical security control designed to verify the legitimacy of requests modifying sensitive settings. Without this protection, an attacker can craft a malicious URL that, when visited by an authenticated site administrator, triggers unauthorized changes to the plugin’s URL structure settings. This attack vector requires no prior authentication by the attacker but does require the victim administrator to interact with the malicious link, making social engineering a key component of exploitation. The vulnerability impacts the integrity of the plugin’s configuration but does not expose confidential data or disrupt service availability. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the low complexity of attack (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). There are no known public exploits or patches available at the time of publication. The vulnerability is cataloged under CWE-352, which covers CSRF issues. Given the widespread use of WordPress and the plugin’s role in managing URL structures, unauthorized changes could lead to site misconfigurations, SEO impacts, or indirect security risks if URL routing is manipulated.

For European organizations, the impact primarily concerns the integrity of website configurations managed through the IMAQ Core plugin. Unauthorized changes to URL structures could disrupt website navigation, SEO rankings, and potentially expose the site to further attacks if URL routing is altered maliciously. Although confidentiality and availability are not directly affected, the integrity compromise could lead to reputational damage, loss of user trust, and operational disruptions, especially for e-commerce, media, and public sector websites relying on WordPress. Organizations with high web traffic or regulatory obligations around website integrity (e.g., GDPR compliance for accurate user-facing information) may face compliance risks if unauthorized changes go undetected. The requirement for administrator interaction means internal security awareness and phishing defenses are critical to prevent exploitation.

Specific mitigation steps include: 1) Immediately update the IMAQ Core plugin to a fixed version once available from the vendor. 2) Until a patch is released, implement web application firewall (WAF) rules to detect and block suspicious requests targeting the URL structure update endpoints. 3) Educate WordPress administrators about the risks of clicking untrusted links, emphasizing phishing awareness. 4) Restrict administrative access to trusted networks or VPNs to reduce exposure to external CSRF attempts. 5) Regularly audit plugin settings and website URL configurations for unauthorized changes. 6) Employ security plugins that add nonce validation or CSRF protections if vendor patches are delayed. 7) Monitor logs for anomalous POST requests to the plugin’s settings endpoints. These measures go beyond generic advice by focusing on interim controls and administrator behavior to reduce exploitation likelihood.