CVE-2025-32678: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the WordPress plugin WP Show Stats, affecting versions up to 1.5. The vulnerability was reported by security researcher Nabil Irawan on March 6, 2025, and was officially published on April 9, 2025, with the identifier CVE-2025-32678 (Patchstack).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue, identified as CWE-352. It received a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This scoring indicates that the vulnerability requires network access and user interaction, with low impact on integrity and no direct impact on confidentiality or availability (NVD).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The impact is considered low severity, though it poses a security risk particularly for authenticated users of WordPress installations running the affected plugin (Patchstack).

As no official fix is available and the software is considered abandoned, the recommended mitigation strategy is to remove and replace the WP Show Stats plugin with an alternative solution. It's important to note that merely deactivating the plugin does not remove the security threat unless a virtual patch is deployed (Patchstack).