CVE-2025-4966: 
WordPress vulnerability analysis and mitigation

The WP Online Users Stats plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 1.0.0, discovered in June 2025. The vulnerability stems from missing nonce validation within the hkdatasetresults() function, making WordPress sites using this plugin susceptible to attack (NVD, Wiz).

The vulnerability exists in the hkdatasetresults() function of the plugin's admin interface, which lacks proper nonce validation - a critical security control designed to prevent CSRF attacks. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (Wiz).

The vulnerability allows unauthenticated attackers to inject malicious web scripts through forged requests when they can trick a site administrator into performing specific actions, such as clicking on a malicious link. This could lead to unauthorized actions being performed in the context of the administrator's session (NVD).

The plugin has been temporarily closed as of June 4, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).