Description
The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-06-06
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Patch Immediately
AI Analysis

Impact

The WP Online Users Stats plugin contains a missing nonce check inside the hk_dataset_results() function, which permits an unauthenticated attacker to trigger a forged request from a site administrator. This CSRF flaw enables the attacker to inject arbitrary scripts that are stored and later executed when other users load the admin page, resulting in stored XSS. The primary risk is the execution of malicious code in the context of the user’s browser, allowing for session hijacking, data theft, or site defacement. The weakness is identified as CWE‑352.

Affected Systems

All installations of the WP Online Users Stats plugin provided by hk1993 with a version of 1.0.0 or earlier are affected. No further version granularity is supplied, so any instance that has not been upgraded past version 1.0.0 remains vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity, while the EPSS score of less than 1% suggests that exploitation is expected to be rare. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack path requires an attacker to trick an authenticated site administrator into clicking a crafted link or otherwise submitting a request that invokes hk_dataset_results() without proper nonce validation. Though the attack vector is constrained, the impact if successful is significant, warranting prompt remediation.

Generated by OpenCVE AI on April 20, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Online Users Stats plugin to the latest release that incorporates a nonce check in hk_dataset_results().
  • If an update cannot be applied immediately, limit the ability to trigger hk_dataset_results() to trusted administrators by tightening role‑based permissions or employing a security plugin that blocks unauthorized CSRF attempts.
  • As a temporary measure, remove or modify the hk_dataset_results() function in the plugin’s admin code to eliminate the injection endpoint, or apply a custom patch that adds nonce validation before the function processes requests.

Generated by OpenCVE AI on April 20, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17075 The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00014}

 epss

{'score': 0.00018}

Thu, 10 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Hk1993
Hk1993 wp Online Users Stats
CPEs cpe:2.3:a:hk1993:wp_online_users_stats:*:*:*:*:*:wordpress:*:*
Vendors & Products Hk1993
Hk1993 wp Online Users Stats

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 07:00:00 +0000

Type Values Removed Values Added
Description The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title WP Online Users Stats <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via hk_dataset_results Function
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Hk1993 Wp Online Users Stats
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:56.919Z

Reserved: 2025-05-19T20:28:54.645Z

Link: CVE-2025-4966

cve-icon Vulnrichment

Updated: 2025-06-06T15:42:51.545Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-06T07:15:27.790

Modified: 2025-07-10T14:46:30.713

Link: CVE-2025-4966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:45:20Z

Weaknesses