CVE-2025-4966 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the WP Online Users Stats plugin for WordPress, developed by hk1993. This vulnerability affects all versions up to and including 1.0.0. The root cause is the absence of nonce validation in the hk_dataset_results() function, which is critical for verifying the legitimacy of requests initiated by users. Without this validation, an attacker can craft a malicious web request that, when executed by an authenticated site administrator (e.g., via clicking a link), can perform unauthorized actions on the WordPress site. The vulnerability does not require the attacker to be authenticated themselves, but relies on social engineering to trick an administrator into triggering the malicious request. The CVSS 3.1 base score is 6.1, reflecting a medium severity level. The vector indicates that the attack can be performed remotely (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity to a limited extent (C:L, I:L), but does not affect availability (A:N). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. This vulnerability is categorized under CWE-352, which is a common web security weakness related to CSRF attacks. Given the widespread use of WordPress and the popularity of plugins for user statistics, this vulnerability could be leveraged to manipulate site data or perform unauthorized actions within the plugin's scope if exploited successfully.

For European organizations using WordPress sites with the WP Online Users Stats plugin, this vulnerability poses a risk of unauthorized actions being performed on their websites without their consent. Although the impact on availability is negligible, the potential for confidentiality and integrity compromise exists, such as unauthorized data manipulation or leakage of user statistics. This could lead to reputational damage, especially for organizations relying on accurate user metrics for business decisions or compliance reporting. Additionally, if attackers use this vulnerability as a foothold, it could facilitate further attacks on the website or connected systems. The requirement for user interaction (an administrator clicking a malicious link) means that phishing or social engineering campaigns could be a vector, which is a common attack method in Europe. Organizations with strict data protection regulations (e.g., GDPR) may face compliance risks if the vulnerability leads to unauthorized data exposure or manipulation.

1. Immediate mitigation involves disabling or uninstalling the WP Online Users Stats plugin until a patched version is released. 2. Monitor official sources from the vendor (hk1993) and WordPress plugin repository for updates or patches addressing this vulnerability. 3. Implement web application firewalls (WAFs) with rules to detect and block CSRF attempts targeting the plugin’s endpoints, especially the hk_dataset_results() function. 4. Educate site administrators about the risks of clicking untrusted links, particularly when logged into administrative accounts. 5. Employ security plugins that enforce nonce validation or add additional CSRF protections at the WordPress level. 6. Conduct regular security audits and penetration tests focusing on plugin vulnerabilities and CSRF attack vectors. 7. Restrict administrative access to trusted networks or via VPN to reduce exposure to phishing attempts. 8. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts that could be injected via CSRF.