Description
The Quantic Social Image Hover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling arbitrary plugin settings changes and injection of malicious scripts
Action: Apply patch
AI Analysis

Impact

Cross‑Site Request Forgery on the Quantic Social Image Hover WordPress plugin allows attackers who can trick an administrator into clicking a crafted link to change the plugin's settings without authentication. Because the settings update lacks nonce validation, an adversary can inject malicious scripts that will then be served to visitors as part of the site. This flaw can lead to client‑side code execution or other XSS‑style issues depending on the injected content. The weakness is classified as CWE‑352, highlighting the missing verification of request authenticity.

Affected Systems

The vulnerable component is the Quantic Social Image Hover plugin (monkeyboz:Quantic Social Image Hover) released by monkeyboz. All versions up to and including 1.0.8 are affected. The plugin is commonly installed on WordPress sites to provide image hover sharing capabilities, and any site running these versions is at risk.

Risk and Exploitability

The CVSS base score of 4.3 indicates a low severity, and the EPSS score of less than 1 % shows that documented exploitation is unlikely at present. Nonetheless, the issue is not listed in CISA’s KEV catalog, meaning there are no known widespread exploits, but the attack requires only social engineering to persuade an administrator to click a forged link. Once successful, the attacker can alter configuration and embed malicious code, which could impact site integrity and compromise visitors.

Generated by OpenCVE AI on April 21, 2026 at 17:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Quantic Social Image Hover plugin to the latest release that addresses the CSRF flaw; if no newer version exists, consider disabling or uninstalling the plugin until a patch is available.
  • Modify the plugin’s settings update handler (tw-image-hover.php) to enforce a nonce verification using wp_verify_nonce before applying any changes, thereby preventinguthenticated requests from succeeding.
  • Apply strong administrative controls: enforce unique, complex passwords for all admin users, enable two‑factor authentication, limit the number of accounts with edit capabilities, and conduct security awareness training to reduce the likelihood of social‑engineering attacks that could trigger the CSRF vulnerability.

Generated by OpenCVE AI on April 21, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Quantic Social Image Hover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Quantic Social Image Hover <= 1.0.8 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:08.841Z

Reserved: 2025-11-18T16:31:13.464Z

Link: CVE-2025-13360

cve-icon Vulnrichment

Updated: 2025-12-05T15:02:29.636Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T06:16:07.563

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses