There were two bugs discovered and fixed in the popular WordPress “WP Statistics” plugin. The first one is a SQL Injection vulnerability that could be exploited by a local, low-privileged user, like a “Subscriber” account. A SQL Injection attack could allow that subscriber to be able to add an “Administrator” account.
About the time that this bug was fixed, a Cross-Site Scripting (XSS) vulnerability was detected in that same WP Statistics plugin, and also fixed. If you use this plugin, make sure you update it right away.
A Cross-Site Scripting (XSS) bug was also found in the “All-in-One WP Migration” plugin. This has been corrected. Please update this plugin if it has been installed.
A reflected Cross-Site Scripting (XSS) vulnerability was found with the “WP Download Manager” plugin. This has been fixed. Please update this plugin if you’ve installed it.
A new Joomla security update is available which fixes two XSS vulnerabilities and an information disclosure vulnerability.
