Stats Plugin Vulnerability

Anyone hosting their own blog and running the Stats plugin should update the plugin to version 1.1.1 immediately or apply the patch below. A critical SQL injection vulnerability was found and fixed. The bug could allow an attacker to steal administrative credentials. ( bloggers are not affected.)

Most users will want to download the latest version and simply copy the new files directly over the old ones. Subversion users may do `svn up`. Advanced users may apply the patch manually.

Thanks to Alex Concha who found and reported the bug to me. He also provided the fix.


  1. Thanks!

  2. Question: what if we didn’t upgrade to 1.1? Are we at risk?

  3. machmoth

     /  July 27, 2007

    Is it just me, or is there a tiny smile watching over me on the side of the new iframe? I see you smiley!

  4. I upgraded :D

  5. @Jonathan: yes, unless you manually fix the problem.

  6. alder

     /  July 29, 2007

    is it intended that i dont see the ‘Blog Stats’ link in my dashboard when i’m not logged in as administrator? as normal user (even editor) i still just have the ‘Visit your Global Dashboard to see your blog stats.’-link there.
    actually i dont want to be logged in as admin all the time :/

  1. Stats Vulnerability | Joseph Scott's Blog
  2. www dot james mckay dot net » I could have told you this would happen...
  3. Stats Plugin Vulnerability | Crucial Thought
  4. Top Posts «
  5. » Wp-Plugin Stats » WordPress Italy
  6. Stats Plugin Vulnerability : JaypeeOnline | Blogging News & Reviews
  7. Stats Plugin 1.1 -
  8. 統計外掛 1.1.1 版 « Kirin Lin
  9. Stats Plugin: Upgrade to version 1.1.1 | InvestorBlogger
  10. PandaCube - A Digital Notebook » Blog Archive » Critical Update on Stats Plugin
  11. Critical Update for WordPress Self Hosted Blog Stats « A Guilty Pleasure
  12. Wordpress Plugin: Wordpress Stats Update to v1.1.1 at The OS Quest

Get every new post delivered to your Inbox.

Join 1,951 other followers

%d bloggers like this: