Scan free
CRITICALCVE-2025-32603CVSS 9.3

CVE-2025-32603: SQL Injection in WP Online Users Stats

Platform

wordpress

Component

wp-online-users-stats

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2025-32603 describes a SQL Injection vulnerability discovered in the WP Online Users Stats plugin. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized access and manipulation of sensitive data within the WordPress database. The vulnerability affects versions from 0 up to and including 1.0.0, and a patch is available in version 1.0.1.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The SQL Injection vulnerability in WP Online Users Stats allows an attacker to bypass authentication and execute arbitrary SQL queries. This can result in the extraction of sensitive user data, including usernames, passwords, email addresses, and potentially other personally identifiable information (PII) stored in the WordPress database. Successful exploitation could also allow an attacker to modify or delete data, leading to data corruption or denial of service. The blind nature of the injection means the attacker doesn't see the results of the query directly, requiring more sophisticated techniques to extract data, but significantly increasing the potential impact if successful.

Exploitation Context

CVE-2025-32603 was publicly disclosed on 2025-04-11. Currently, there are no known active exploitation campaigns targeting this vulnerability. No public proof-of-concept (POC) code has been released, but the blind SQL injection nature of the vulnerability makes it likely that POCs will emerge. The vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.23% (46% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L9.3CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentwp-online-users-stats
VendorHK
Affected rangeFixed in
0 – 1.0.01.0.1

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-32603 is to immediately update the WP Online Users Stats plugin to version 1.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement due to the blind nature of the injection, monitoring database query logs for unusual patterns or unexpected SQL commands originating from the plugin's endpoint can provide an early warning. Regularly review and update WordPress security plugins and themes to minimize the overall attack surface.

How to fix

Update the WP Online Users Stats plugin to the latest available version to mitigate the SQL Injection vulnerability. Check for plugin updates directly in the WordPress admin dashboard or through the WordPress plugin repository. Implement additional security measures, such as user input validation and sanitization, to prevent future vulnerabilities.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-32603 — SQL Injection in WP Online Users Stats?

CVE-2025-32603 is a critical SQL Injection vulnerability affecting the WP Online Users Stats plugin, allowing attackers to potentially extract or modify data in the WordPress database.

Am I affected by CVE-2025-32603 in WP Online Users Stats?

If you are using WP Online Users Stats version 0.0 to 1.0.0, you are affected. Immediately check your plugin version and upgrade if necessary.

How do I fix CVE-2025-32603 in WP Online Users Stats?

Upgrade the WP Online Users Stats plugin to version 1.0.1 or later. If upgrading is not possible immediately, disable the plugin.

Is CVE-2025-32603 being actively exploited?

Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.

Where can I find the official WP Online Users Stats advisory for CVE-2025-32603?

Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs