There is a SQL Injection Vulnerability in wp-stats.php as stated in http://secunia.com/advisories/18471/

I have fixed the exploit by adding $wpdb->escape($string);