The plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the stats_page function found in the ~/stetic.php file, which made it possible for attackers to inject arbitrary web scripts. The CSRF issue has been fixed in 1.0.7, while sanitisation and escaping have been done in 1.0.7 to 1.0.9