Stats Plugin Vulnerability

Anyone hosting their own blog and running the WordPress.com Stats plugin should update the plugin to version 1.1.1 immediately or apply the patch below. A critical SQL injection vulnerability was found and fixed. The bug could allow an attacker to steal administrative credentials. (WordPress.com bloggers are not affected.)

Most users will want to download the latest version and simply copy the new files directly over the old ones. Subversion users may do `svn up`. Advanced users may apply the patch manually.

Thanks to Alex Concha who found and reported the bug to me. He also provided the fix.

18 Comments

  1. Thanks!

  2. Question: what if we didn’t upgrade to 1.1? Are we at risk?

  3. machmoth

     /  July 27, 2007

    Is it just me, or is there a tiny smile watching over me on the side of the new iframe? I see you smiley!

  4. I upgraded :D

  5. @Jonathan: yes, unless you manually fix the problem.

  6. alder

     /  July 29, 2007

    is it intended that i dont see the ‘Blog Stats’ link in my dashboard when i’m not logged in as administrator? as normal user (even editor) i still just have the ‘Visit your Global Dashboard to see your blog stats.’-link there.
    actually i dont want to be logged in as admin all the time :/

  1. WordPress.com Stats Vulnerability | Joseph Scott's Blog
  2. www dot james mckay dot net » I could have told you this would happen...
  3. Stats Plugin Vulnerability | Crucial Thought
  4. Top Posts « WordPress.com
  5. » Wp-Plugin WordPress.com Stats » WordPress Italy
  6. Worpress.com Stats Plugin Vulnerability : JaypeeOnline | Blogging News & Reviews
  7. WordPress.com Stats Plugin 1.1 - pestaola.gr
  8. WordPress.com 統計外掛 1.1.1 版 « Kirin Lin
  9. Wordpress.com Stats Plugin: Upgrade to version 1.1.1 | InvestorBlogger
  10. PandaCube - A Digital Notebook » Blog Archive » Critical Update on WordPress.com Stats Plugin
  11. Critical Update for WordPress Self Hosted Blog Stats « A Guilty Pleasure
  12. Wordpress Plugin: Wordpress Stats Update to v1.1.1 at The OS Quest
Follow

Get every new post delivered to your Inbox.

Join 1,667 other followers

%d bloggers like this: