The plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP, browser and platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics