CVE-2025-4964 is a time-based SQL Injection vulnerability identified in the WP Online Users Stats plugin for WordPress, affecting all versions up to and including 1.0.0. The root cause is improper neutralization of special elements in the 'table_name' parameter, which is user-supplied and insufficiently escaped or prepared before being incorporated into SQL queries. This flaw allows authenticated attackers with Editor-level or higher privileges to inject additional SQL commands into existing queries. The injection is time-based, meaning attackers can infer data by measuring response delays, enabling extraction of sensitive database information such as user credentials or site configuration details. The vulnerability does not require user interaction beyond authentication, and no public exploits have been reported yet. The CVSS v3.1 base score is 4.9 (medium), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. The vulnerability is cataloged under CWE-89, highlighting improper input validation in SQL commands. No patches or fixes have been published as of the vulnerability disclosure date (June 6, 2025).

This vulnerability can lead to unauthorized disclosure of sensitive information stored in the WordPress database, including user data, site configuration, and potentially credentials. Since the attack requires Editor-level access, the risk is somewhat mitigated by privilege requirements; however, compromised Editor accounts or insider threats could exploit this flaw to escalate data exposure. The confidentiality breach could facilitate further attacks such as privilege escalation, data theft, or site defacement. The lack of impact on integrity and availability reduces the risk of direct site disruption but does not eliminate the threat to data privacy. Organizations relying on this plugin for user statistics may face compliance issues if sensitive data is leaked. The absence of known exploits limits immediate widespread impact, but the vulnerability remains a significant risk until patched. The threat is particularly relevant for websites with multiple Editors or where Editor accounts are less strictly controlled.

1. Immediately restrict Editor-level and higher privileges to trusted users only, minimizing the risk of exploitation. 2. Disable or uninstall the WP Online Users Stats plugin until a security patch is released by the vendor. 3. Monitor database query logs and web server logs for unusual or time-delayed SQL query patterns indicative of time-based SQL Injection attempts. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection payloads targeting the 'table_name' parameter. 5. Enforce the principle of least privilege on WordPress user roles to reduce the number of users with Editor or higher access. 6. Regularly update WordPress core and plugins, and subscribe to vendor security advisories for timely patch deployment. 7. Consider using parameterized queries or prepared statements in custom plugin code to prevent SQL Injection vulnerabilities. 8. Conduct security audits and penetration testing focused on SQL Injection vectors in WordPress plugins.