I usually don’t mention WordPress vulnerabilities here, but since I use WordPress and the vulnerable plugin I figured I’d mention it (now that I’m patched).
The WordPress Stats plugin by Automattic (Andy Skelton ) had a critical SQL injection vulnerability that could allow admin credentials to be stolen. The vulnerability was patched in version 1.1.1 and was released July 27th.
I typically turn off (deactivate) plugins before updating them and in this case I had to re-enter the API key when activating the updated plugin.