CVE-2025-4964: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in hk1993 WP Online Users Stats
The WP Online Users Stats plugin for WordPress is vulnerable to time-based SQL Injection via the ‘table_name’ parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Analysis
Technical Summary
CVE-2025-4964 is a medium-severity SQL Injection vulnerability affecting the WP Online Users Stats plugin for WordPress, specifically all versions up to and including 1.0.0. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) due to insufficient escaping of the 'table_name' parameter. This parameter is user-supplied and not adequately sanitized or prepared before being incorporated into SQL queries. As a result, authenticated attackers with Editor-level privileges or higher can exploit this flaw by injecting time-based SQL payloads. This allows them to append additional SQL queries to existing ones, potentially extracting sensitive information from the underlying database. The attack does not require user interaction but does require elevated privileges (Editor or above). The CVSS 3.1 score is 4.9 (medium), reflecting the network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality but no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is significant because WordPress is widely used, and plugins like WP Online Users Stats are common in websites that track user activity. The ability to extract sensitive data via SQL injection can lead to data breaches, exposure of user information, and potential further exploitation if combined with other vulnerabilities.
Potential Impact
For European organizations using WordPress websites with the WP Online Users Stats plugin, this vulnerability poses a risk of unauthorized data disclosure. Attackers with Editor-level access can exploit the flaw to extract sensitive database information, which may include user credentials, personal data, or business-critical information depending on the database contents. This can lead to violations of GDPR and other data protection regulations, resulting in legal and financial penalties. The impact is particularly relevant for organizations that rely on WordPress for customer-facing portals, intranets, or content management where the plugin is installed. Although the vulnerability does not allow direct modification or destruction of data, the confidentiality breach alone can damage reputation and trust. Since exploitation requires authenticated access with elevated privileges, the threat is mitigated somewhat by internal access controls, but insider threats or compromised editor accounts remain a concern. The lack of known exploits in the wild suggests limited current active exploitation, but the vulnerability should be addressed promptly to prevent future attacks.
Mitigation Recommendations
1. Immediate mitigation involves restricting Editor-level and higher privileges to trusted users only, minimizing the risk of exploitation. 2. Monitor and audit user accounts with elevated privileges for suspicious activity. 3. Disable or uninstall the WP Online Users Stats plugin if it is not essential to reduce the attack surface. 4. Implement Web Application Firewall (WAF) rules that detect and block SQL injection patterns targeting the 'table_name' parameter. 5. Use database user accounts with least privilege necessary, limiting the ability of injected queries to access sensitive tables. 6. Regularly update WordPress core, plugins, and themes to receive security patches once available. 7. Employ parameterized queries or prepared statements in custom code to prevent SQL injection. 8. Conduct security assessments and penetration testing focusing on plugins and user input sanitization. 9. Backup databases regularly to ensure recovery in case of compromise. 10. Stay informed through vendor advisories and security bulletins for patch releases addressing this vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Austria
CVE-2025-4964: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in hk1993 WP Online Users Stats
Description
The WP Online Users Stats plugin for WordPress is vulnerable to time-based SQL Injection via the ‘table_name’ parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI-Powered Analysis
Technical Analysis
CVE-2025-4964 is a medium-severity SQL Injection vulnerability affecting the WP Online Users Stats plugin for WordPress, specifically all versions up to and including 1.0.0. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) due to insufficient escaping of the 'table_name' parameter. This parameter is user-supplied and not adequately sanitized or prepared before being incorporated into SQL queries. As a result, authenticated attackers with Editor-level privileges or higher can exploit this flaw by injecting time-based SQL payloads. This allows them to append additional SQL queries to existing ones, potentially extracting sensitive information from the underlying database. The attack does not require user interaction but does require elevated privileges (Editor or above). The CVSS 3.1 score is 4.9 (medium), reflecting the network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality but no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is significant because WordPress is widely used, and plugins like WP Online Users Stats are common in websites that track user activity. The ability to extract sensitive data via SQL injection can lead to data breaches, exposure of user information, and potential further exploitation if combined with other vulnerabilities.
Potential Impact
For European organizations using WordPress websites with the WP Online Users Stats plugin, this vulnerability poses a risk of unauthorized data disclosure. Attackers with Editor-level access can exploit the flaw to extract sensitive database information, which may include user credentials, personal data, or business-critical information depending on the database contents. This can lead to violations of GDPR and other data protection regulations, resulting in legal and financial penalties. The impact is particularly relevant for organizations that rely on WordPress for customer-facing portals, intranets, or content management where the plugin is installed. Although the vulnerability does not allow direct modification or destruction of data, the confidentiality breach alone can damage reputation and trust. Since exploitation requires authenticated access with elevated privileges, the threat is mitigated somewhat by internal access controls, but insider threats or compromised editor accounts remain a concern. The lack of known exploits in the wild suggests limited current active exploitation, but the vulnerability should be addressed promptly to prevent future attacks.
Mitigation Recommendations
1. Immediate mitigation involves restricting Editor-level and higher privileges to trusted users only, minimizing the risk of exploitation. 2. Monitor and audit user accounts with elevated privileges for suspicious activity. 3. Disable or uninstall the WP Online Users Stats plugin if it is not essential to reduce the attack surface. 4. Implement Web Application Firewall (WAF) rules that detect and block SQL injection patterns targeting the 'table_name' parameter. 5. Use database user accounts with least privilege necessary, limiting the ability of injected queries to access sensitive tables. 6. Regularly update WordPress core, plugins, and themes to receive security patches once available. 7. Employ parameterized queries or prepared statements in custom code to prevent SQL injection. 8. Conduct security assessments and penetration testing focusing on plugins and user input sanitization. 9. Backup databases regularly to ensure recovery in case of compromise. 10. Stay informed through vendor advisories and security bulletins for patch releases addressing this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-05-19T20:02:33.110Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68429199182aa0cae20492ce
Added to database: 6/6/2025, 6:58:33 AM
Last enriched: 7/7/2025, 5:57:26 PM
Last updated: 8/5/2025, 11:06:23 PM
Views: 17
Related Threats
CVE-2025-9012: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9011: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9010: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9009: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-31961: CWE-1220 Insufficient Granularity of Access Control in HCL Software Connections
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.