CVE-2025-13363 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the IMAQ Core plugin for WordPress, affecting all versions up to and including 1.2.1. The vulnerability stems from the plugin's failure to implement nonce validation on the URL structure settings update functionality. Nonce validation is a security measure that ensures requests modifying sensitive settings originate from legitimate users and sessions. Without this protection, an attacker can craft a malicious URL or form that, when visited or submitted by an authenticated site administrator, triggers unauthorized changes to the plugin's URL structure settings. This attack vector requires no authentication on the attacker’s part but does require the victim administrator to perform an action such as clicking a link or visiting a malicious page, which constitutes user interaction. The vulnerability primarily impacts the integrity of the plugin’s configuration, as attackers can alter URL structures potentially affecting site behavior or SEO. Confidentiality and availability are not directly impacted. The CVSS v3.1 score is 4.3 (medium), reflecting network attack vector, low complexity, no privileges required, user interaction needed, unchanged scope, no confidentiality impact, low integrity impact, and no availability impact. No patches or fixes have been published yet, and no known exploits are reported in the wild. The vulnerability was reserved on November 18, 2025, and published on December 12, 2025, with Wordfence as the assigner. The plugin is widely used in WordPress environments, making this a relevant concern for many websites relying on IMAQ Core for URL management.

The primary impact of this vulnerability is the unauthorized modification of the IMAQ Core plugin’s URL structure settings, which can disrupt website navigation, SEO configurations, or other URL-dependent functionalities. While it does not directly expose sensitive data or cause denial of service, the integrity compromise can lead to degraded user experience, potential SEO penalties, or indirect security risks if URL changes facilitate further attacks. Organizations relying on this plugin risk unauthorized configuration changes that could be exploited for phishing, redirecting users to malicious sites, or breaking site functionality. Since exploitation requires tricking an administrator into clicking a malicious link, the risk is elevated in environments with multiple administrators or where phishing attacks are common. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is public. The medium CVSS score reflects moderate risk, but impact can be significant for high-traffic or security-sensitive WordPress sites.

1. Immediately restrict administrative access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of successful CSRF exploitation. 2. Educate administrators about phishing and social engineering tactics to prevent inadvertent clicking on malicious links. 3. Monitor web server and application logs for unusual POST or GET requests targeting the URL structure settings endpoint. 4. Implement web application firewall (WAF) rules to detect and block suspicious requests that attempt to modify plugin settings without proper nonce tokens. 5. Until an official patch is released, consider temporarily disabling or restricting the URL structure settings update functionality if feasible. 6. Regularly check for updates from the vendor and apply patches promptly once available. 7. Employ Content Security Policy (CSP) headers to limit the sources of executable scripts and reduce the risk of CSRF via injected scripts. 8. Use security plugins that provide CSRF protection or nonce enforcement for WordPress plugins lacking it. 9. Conduct periodic security audits and penetration testing focusing on plugin vulnerabilities and administrative interfaces.