When visiting a site running Web-Stat < 1.4.0, the “wts_web_stat_load_init” function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookup_WP_account. This request contained sensitive information such as the site’s “wts_web_stat_uid” which was sent in the “wpid” parameter. The response to this request contained an API key which could be used to directly access the stats admin dashboard hosted on a 3rd party site. Version 1.4.0 partially addressed these issues but the dashboard API key was still visible to users with minimal permissions, such as subscribers, in the source of the wp-admin panel.