I’m writing this post in english because it might be helpful to many people around the world that use this plugin.
For those who don’t know, the referer is the last URL the visitor was in before entering your blog, and the user agent is the web browser he used to surf your blog.
What could happen? Well, it depends on the attacker’s creativity. He could just redirect the admin to a cloned Wordpress login page to capture his password, or he could be more subtle and steal the admin’s cookie and easily gain access without him never knowing.
What can you do to solve this problem? Well, since I’m a Statpress user myself, I tried to contact the author almost one month ago, when I found this vulnerability. Until now, I got no response, so I decided to patch the problem myself (yep, the power of open source :D).
Patch note: To apply the patch just extract it and overwrite your
statpress.php located in the
plugins/wp-statpress directory, with this provided
Update: The author has released the official update. Check here.