CVE-2025-4964

Name of the Vulnerable Software and Affected Versions WP Online Users Stats plugin for WordPress versions up to and including 1.0.0

Description The issue allows authenticated attackers with Editor-level access or higher to inject additional SQL queries into existing ones, potentially extracting sensitive information from the database. This is due to insufficient escaping of the user-supplied table name parameter and lack of proper preparation of the existing SQL query.

Recommendations For WP Online Users Stats plugin for WordPress versions up to and including 1.0.0, consider disabling the table name parameter until a patch is available to prevent potential SQL injection attacks. Restrict access to the plugin's functionality to minimize the risk of exploitation.