{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4966", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-19T20:28:54.645Z", "datePublished": "2025-06-06T06:42:51.839Z", "dateUpdated": "2026-04-08T17:12:56.919Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:56.919Z"}, "affected": [{"vendor": "hk1993", "product": "WP Online Users Stats", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "WP Online Users Stats <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via hk_dataset_results Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a41226ab-9732-4de2-843b-284c011c9224?source=cve"}, {"url": "https://wordpress.org/plugins/wp-online-users-stats/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-online-users-stats/trunk/admin/class-wp-online-users-stats-admin.php#L118"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rajan Kshedal"}], "timeline": [{"time": "2025-06-05T17:51:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-06T15:42:49.369346Z", "id": "CVE-2025-4966", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-06T16:09:04.913Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4966", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-06T15:42:49.369346Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-06T15:42:51.545Z"}}], "cna": {"title": "WP Online Users Stats <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via hk_dataset_results Function", "credits": [{"lang": "en", "type": "finder", "value": "Rajan Kshedal"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "hk1993", "product": "WP Online Users Stats", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-05T17:51:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a41226ab-9732-4de2-843b-284c011c9224?source=cve"}, {"url": "https://wordpress.org/plugins/wp-online-users-stats/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-online-users-stats/trunk/admin/class-wp-online-users-stats-admin.php#L118"}], "descriptions": [{"lang": "en", "value": "The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:56.919Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4966", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:12:56.919Z", "dateReserved": "2025-05-19T20:28:54.645Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-06T06:42:51.839Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hk1993:wp_online_users_stats:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1839725F-D43A-40F7-932C-08274898B5E0", "versionEndIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento WP Online Users Stats para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.0.0 incluida. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n hk_dataset_results(). Esto permite que atacantes no autenticados inyecten scripts web maliciosos mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-4966", "lastModified": "2025-07-10T14:46:30.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-06-06T07:15:27.790", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wp-online-users-stats/trunk/admin/class-wp-online-users-stats-admin.php#L118"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/wp-online-users-stats/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a41226ab-9732-4de2-843b-284c011c9224?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:37:41.089884+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Online Users Stats plugin to the latest release that incorporates a nonce check in hk_dataset_results().", "If an update cannot be applied immediately, limit the ability to trigger hk_dataset_results() to trusted administrators by tightening role\u2011based permissions or employing a security plugin that blocks unauthorized CSRF attempts. ", "As a temporary measure, remove or modify the hk_dataset_results() function in the plugin\u2019s admin code to eliminate the injection endpoint, or apply a custom patch that adds nonce validation before the function processes requests."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "All installations of the WP Online Users Stats plugin provided by hk1993 with a version of 1.0.0 or earlier are affected. No further version granularity is supplied, so any instance that has not been upgraded past version 1.0.0 remains vulnerable.", "description_and_impact": "The WP Online Users Stats plugin contains a missing nonce check inside the hk_dataset_results() function, which permits an unauthenticated attacker to trigger a forged request from a site administrator. This CSRF flaw enables the attacker to inject arbitrary scripts that are stored and later executed when other users load the admin page, resulting in stored XSS. The primary risk is the execution of malicious code in the context of the user\u2019s browser, allowing for session hijacking, data theft, or site defacement. The weakness is identified as CWE\u2011352.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity, while the EPSS score of less than 1% suggests that exploitation is expected to be rare. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack path requires an attacker to trick an authenticated site administrator into clicking a crafted link or otherwise submitting a request that invokes hk_dataset_results() without proper nonce validation. Though the attack vector is constrained, the impact if successful is significant, warranting prompt remediation."}}}}, "created": "2026-04-20T22:45:20.544066+00:00", "updated": "2026-04-20T22:45:20.544082+00:00", "vendors": []}