Plataforma
wordpress
Componente
wp-online-users-stats
Corregido en
1.0.1
CVE-2025-32603 describes a SQL Injection vulnerability discovered in the WP Online Users Stats plugin. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized access and manipulation of sensitive data within the WordPress database. The vulnerability affects versions from 0 up to and including 1.0.0, and a patch is available in version 1.0.1.
The SQL Injection vulnerability in WP Online Users Stats allows an attacker to bypass authentication and execute arbitrary SQL queries. This can result in the extraction of sensitive user data, including usernames, passwords, email addresses, and potentially other personally identifiable information (PII) stored in the WordPress database. Successful exploitation could also allow an attacker to modify or delete data, leading to data corruption or denial of service. The blind nature of the injection means the attacker doesn't see the results of the query directly, requiring more sophisticated techniques to extract data, but significantly increasing the potential impact if successful.
CVE-2025-32603 was publicly disclosed on 2025-04-11. Currently, there are no known active exploitation campaigns targeting this vulnerability. No public proof-of-concept (POC) code has been released, but the blind SQL injection nature of the vulnerability makes it likely that POCs will emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Websites using the WP Online Users Stats plugin, particularly those running older, unpatched versions (0–1.0.0), are at significant risk. Shared hosting environments where multiple websites share the same database are particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "wp_online_users_stats" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=inactive | grep wp-online-users-stats• wordpress / composer / npm:
curl -I <wordpress_url>/wp-content/plugins/wp-online-users-stats/readme.txt | grep Versiondisclosure
Estado del Exploit
EPSS
0.23% (46% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-32603 is to immediately update the WP Online Users Stats plugin to version 1.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement due to the blind nature of the injection, monitoring database query logs for unusual patterns or unexpected SQL commands originating from the plugin's endpoint can provide an early warning. Regularly review and update WordPress security plugins and themes to minimize the overall attack surface.
Actualice el plugin WP Online Users Stats a la última versión disponible para mitigar la vulnerabilidad de inyección SQL. Verifique las actualizaciones del plugin directamente en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Implemente medidas de seguridad adicionales, como la validación y el saneamiento de las entradas del usuario, para prevenir futuras vulnerabilidades.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-32603 is a critical SQL Injection vulnerability affecting the WP Online Users Stats plugin, allowing attackers to potentially extract or modify data in the WordPress database.
If you are using WP Online Users Stats version 0.0 to 1.0.0, you are affected. Immediately check your plugin version and upgrade if necessary.
Upgrade the WP Online Users Stats plugin to version 1.0.1 or later. If upgrading is not possible immediately, disable the plugin.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.