A critical vulnerability was discovered by the Sucuri Team where older versions of WP Statistics plugin (prior to version 8.3.1) allows an attacker to use XSS (Stored Cross Site Scripting and and Reflected XSS attack) vectors to force a victim’s browser to perform administrative tasks on its behalf. In other words, the attacker can use this vulnerability to create a new admin account in your WordPress Account if you are using an older version of WP-Statistics Plugin.
This vulnerability is easy to exploit and can be done remotely. Fortunately, the team at Sucuri has not revealed the technical details yet – otherwise, all the script kiddies will have a field day scanning the millions of WordPress installations.
If you are using this WP-Statistics Plugin, please upgrade immediately to prevent an attacker from wreaking havoc on your WordPress site.