CVE-2025-32603: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-32603) was discovered in HK WP Online Users Stats WordPress plugin versions up to 1.0.0. The vulnerability was reported on April 9, 2025, by Tran Nguyen Bao Khanh from VCI-VNPT and publicly disclosed on April 11, 2025. This unauthenticated SQL injection vulnerability allows for blind SQL injection attacks (Patchstack).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It received a CVSS v3.1 base score of 9.3 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD).

The SQL injection vulnerability could allow malicious actors to directly interact with the website's database, potentially leading to unauthorized access to sensitive information. The high CVSS score of 9.3 indicates critical severity, suggesting significant potential impact on affected systems (Patchstack).

Currently, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement immediate mitigation measures (Patchstack).