Stats Plugin Vulnerability

Anyone hosting their own blog and running the Stats plugin should update the plugin to version 1.1.1 immediately or apply the patch below. A critical SQL injection vulnerability was found and fixed. The bug could allow an attacker to steal administrative credentials. ( bloggers are not affected.)

Most users will want to download the latest version and simply copy the new files directly over the old ones. Subversion users may do `svn up`. Advanced users may apply the patch manually.

Thanks to Alex Concha who found and reported the bug to me. He also provided the fix.

Published by

Andy Skelton

Code Wrangler @ Automattic

18 thoughts on “Stats Plugin Vulnerability”

  1. Is it just me, or is there a tiny smile watching over me on the side of the new iframe? I see you smiley!

  2. is it intended that i dont see the ‘Blog Stats’ link in my dashboard when i’m not logged in as administrator? as normal user (even editor) i still just have the ‘Visit your Global Dashboard to see your blog stats.’-link there.
    actually i dont want to be logged in as admin all the time :/

Comments are closed.