Unfortunately (or luckily you choose) JPCERT/CC discovered a security issue on almost every WassUp version since this new one. An attacker could inject malicious code in a manner I will not show you here for your security, but trust me, it’s true.

SO PLEASE UPDATE ASAP YOUR WASSUP VERSION BECAUSE YOU ARE NOT ON SECURITY WITH OLD VERSIONS.

Download WassUp Version 1.8.3.1

Thank you all for your support and feedbacks

Changelog:

• fixed security issue

Download WassUp Version 1.8.3

Thank you all for your support and feedbacks

Changelog:

• added 3 new top stats option settings:
• 1) “top_limit” to extend top stats list to more (or less) than 10 items
• 2) “top_postid” to show the top posts/pages (top articles) by title
• 3) “top_nospider” to exclude all spiders from top stats counts
• added a new option setting of ‘wassup_spy_speed’ to manually adjust SPY data rate.
• added “username” (md5 encoded) to wassup cookie data for better tracking of logged-in visitors.
• updated ‘jquery’ to version 1.6.4 and ‘jqueryUI’ (googleapi) to version 1.8.16.
• updated css for WordPress 3.2 style changes.
• updated SQL code in ‘wGetStats’ function.
• updated wassup “wUpdateTable” function to manually upgrade
• ‘wp_wassup’ table column by column instead of using WordPress’ ”dbDelta” function. Since WordPress 3.1 (or 3.0), there are new problems with “dbDelta” failing on large table structures like wp_wassup.
• renamed “MainItems” class to “WassupItems” due to a namespace conflict with another plugin that was brought up in WassUp forums.
• renamed “$debug_mode” to “$wdebug_mode”, “$Tot” to “wTot”, $recent to $recent_hits and several other variables, similarly, for better namespace compatibility with other plugins.
• removed 3rd parameter, “screen_res”, from WordPress hook functions because it is ignored by WordPress. Changed “wscreen_res” to a global variable instead.
• commented out a section of duplicate code found in “wUpdateTable” function.
• cleaned php code and javascripts.
• minor style and image changes.
• tested on WordPress 3.1.1, 3.1.2, 3.2, and 3.2.1

Download WassUp Version 1.8.2

Thank you all for your support and feedbacks

Here is 1.8.2 changelog:

• renamed “$pageview”, “$filters”, and “$table_name” variables for namespace compatibility with other plugins (ex. NextGen Gallery).
• fixed the typo in “wassup_install()” function (changed “remove_option” to “delete_option”).
• updated search engine regex for better search phrase detection.
• added test for shortened url in referrer string (are faked referrers).
• removed ‘yandex’ from list of spammer rx drug keywords (is Russian search engine).
• updated referrer bad hostnames for latest spammers.
• minor updates to css and icons for style.

Download WassUp Version 1.8.1

Thank you all for your support and feedbacks

Here is 1.8.1 changelog:

• fixed warning for ‘set_time_limit’ error in ‘wassup_scheduled_dbtask’ function and corrected the typo in the function argument.
• fixed warning for ‘preg.match’ compilation error in ‘wGetSpamRef’ function.
• disabled PHP warning error reporting in ‘wassupAppend’ function so only fatal errors are displayed except when ‘debug_mode’ is set.
• updated ‘readme.txt’ Installation instructions to include new information and a warning about upgrading when web site is busy.
• updated stylesheet ‘wassup.css’ with minor changes margins and border color.
• added a time period to ‘top ten’ report heading and replaced ‘top ten’ with ‘top stats’ in some places.
• updated referrer spam list.
• minor code changes for putting “jquery” on WassUp pages.

Let’s go to update!

Download WassUp Version 1.8

Changelog Summary:

49 new features & code improvements
16 bug & security fixes

=============================
New features and improvements:
=============================

1) Added plugin action link for “settings” (Wassup-Options) in plugins admin area.
2) Added ‘wassup stats’ as Dashboard submenu item in WordPress 2.7+. Thanks to @rcdailey for this suggestion.
3) Added more security checks to improve WassUp security: -Added new code to recognize and deflect script-injection exploit attempts using Wassup.  Note: this only protects Wassup’s code, not WordPress. -Added an “index.php” file to all wassup subdirectories to prevent unauthorized views of directory path contents on insecure servers. -Added a check for ABSPATH in “wassup.php” to verify that a Wassup request is a valid WordPress request.
4) Added a new module, “lib/compat_functions.php”, that contains backward compatibility functions required for Wassup 1.8 to run on PHP 4.3-5.1 and WordPress 2.2-2.5.
5) Added a new function, ‘wFetchAPIData()’ in “main.php”, that retrieves remote API data even when ‘cURL’ is not present.
6) Added a new, third table, “wassup_meta”, that gives Wassup 1.8 internal caching capability (of remote API data) and the ability to store additional tracking information (future). Notes: -Wassup API caching requires WordPress 2.5 or higher. -Users upgrading to v1.8 must turn on Wassup API cache manually.
7) Added three new user-customizable options to Wassup-Options and improved existings options and interface: a) New option, “wassup_time_period”, to select a default date/time range different from 24 hours in Visitor detail. This closes ticket #73. b) New option, “wassup_cache”, to turn on remote API (geoip/chart) data caching for Wassup Spy, and Visitor detail and dashboard chart. c) New option, “delete_filter”, to restrict automatic deletes to specific record types (“spam”, “spider”, or “all”). d) Extended “delete_auto” selections to include a “2 weeks” delete time period. e) Extended Visitor detail time period views to include new selections for “1 hour”, “6 hours”, and “2 weeks” of data. f) Extended “Manage Files&Database” section to include new sub-section, ”Delete Old Records” and added a “Delete Now” button and updated code to display a count of number of records deleted.
8) Added installation warnings to Wassup’s ‘install’ and ‘upgrade’ functions and modified code to improve performance: a) Created a new module, “lib/upgrade.php” containing Wassup’s upgrade and install functions. These were separated from ”wassup.php” so that they could be loaded as needed, reducing Wassup’s consumption of active PHP memory. b) Added an installation warning when ‘WP_CACHE’ is set to alert  users of possible page-caching conflict.
9) Added new function ‘wassup_dbtask()’ that takes a queue of database maintenance tasks (in an array) and runs each code incrementally to minimize chances of a database lock interrupting task.
10) Updated WassUp’s stylesheets and javascripts: a) Added a “gray” background, brightened existing colors, and added wrap and scroll options to css. b) Moved css files and background images to a separate directory called “css”. c) Removed the html “<style>” tag from “settings.php” code and put the options styles in “css/wassup.css” stylesheet instead. d) Upgraded “jQuery” to version “1.4.2″ (bugfix #9) and modified code to use WordPress built-in jquery in WP 2.7+. e) Replaced the problematic “ui.tabs” jquery plugin (ui.tabs.css, ui.tabs.js, ui.core.js) with jquery UI library and css files at ’http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/’. (bugfix#10) f) Modified “Thickbox” code to include a “slideUp” animation g) Moved all thickbox files and “css” to “js/thickbox” directory.
11) Updated WassUp charts to improve performance, accuracy and style: a) Added 5-minute caching of chart url (in “wassup_meta”) to avoid redundant chart queries on database when a user uses pagination. b) Changed 24-hour and 7-day charts time periods to use a minimum of 6 data points to better show all dips and spikes on chart. c) Changed grid size to 4 horizontal lines and 7-14 vertical lines and aligned grid to actual axes points. d) Changed calculation of MySQL time offset in charts to use a simple subtraction of MySQL “current time” from WordPress ”current time” to get an accurate value for x-axis timeline. The problematic “timezone” value itself is no longer used to determine offset (bugfix #8) e) Changed chart style to include a gradient and background color,increased chart height from “200″ to “270″, and added a horizontal scroll whenever chart width exceeds window size.
12) Updated Wassup’s Details page to improve performance and style: a) Modified code to reduce the number of database calls. b) Added a “refresh” button for manual refresh of the details screen before timer ends. c) Moved User-Agent “toggle” link from “hostname” field to the ”Browser”, “Spider”, and “OS” fields. “hostname” toggle is disabled for now, but may be used as a “whois” information link in the future.
13) Updated Wassup-spy page for improved geolocation and compatibility: a) Changed geolocation remote API service to http://freegeoip.net. Thanks to Alexandre Fiori (@AlexandreFiori) for permitting us to use his API. b) Enabled caching of geolocation data in “wassup_meta” table for up to 1 week. c) Renamed “spy.js” to “spia.js” and renamed “spyview()” function to “wassup_spiaview()” to improve apache “mod_security” compatibility. (see bugfix #1). d) Modified google!maps javascript to pan only to the 1st marker on the ajaxed list (last visitor). e) Added more visitor details to map marker text f) Increased spiaview list size from 10 to 12 items, added a country flag, to each item, and changed the map height from 200 to 270.
14) Updated Wassup tracker functions (“wassupAppend” and “wassupPrepend”): a) Added a ‘send_headers’ hook for improved tracking of media, feeds, “robots.txt”, and non-html requests within WordPress. b) Modified “wassup_screen_res” cookie value to improve compatibility with ‘WP Firewall’ plugin. Important Note: Existing Wassup users must wait 2 days after upgrading to Wassup 1.8 before installing ‘WP Firewall’ plugin to avoid visitors getting blocked from your site because the old wassup_screen_res cookie has not yet expired. c) Improved 404-page and hack-attempt detection. d) Improved detection of disguised spiders by checking for excessive pageviews within a short time period. (threshold: 8+ page views in < 17 seconds)
15) Modified ‘insert_into_wp’ function to use WordPress’ “wpdb::insert” method when available and when it won’t affect “delayed insert”.
16) Updated search engine detection in Wassup’s “wGetSE()” function: a) Added search engines ‘Bing Cache’, ‘Bing Images’, ‘Google Cache’, ’Google Mobile’, ‘Google IPv6′, ‘Yahoo Mobile’, and ‘Yippy’ to list of known search engines. b) Changed Google’s primary page rank parameter from ‘start’ to ’cd’. ‘start’ is being used less and less by Google and may be deprecated from their search results soon. c) Changed ‘Google Images’ search detection to use “imgres” instead of the subdomain, ‘images.google.com’. The “images” subdomain is no longer seen in searches and may already be deprecated. d) Modified ‘getQueryPairs’ function to return results from partial urls so that encoded search strings within the query string can be retrieved.
17) Improved spam and hack detection code: a) Changed spam tests on referrer string to use ‘preg_match’ regex to reduce incidences of false matching of referrer spam domains. b) Edited “badhosts.txt” file to remove obsolete domains and to add regex quotes to special character (.-). d) Split “badhosts.txt” content into 2 files, “badhosts.txt” and ”badhosts-intl.txt”. Separating international domains from other from other domains, keeps the files smaller and faster to read, thus improving Wassup speed during spam check. e) Updated spam array in ‘wSpamRef’ for the latest (known) spammers. f) Added a new function, “wIsAttack()” to identify and tag suspicious requests as “hack attempts”.
18) Updated Wassup’s main table to improve tracking: a) Increased width of ‘ip’ field to “50″ to store larger ipv6 addresses (future). b) Implemented tracking of ‘post-id’ and ‘page-id’ of url requests in the field ‘wpurl_id’. Currently these are only viewable in ”raw data” window.
19) Updated Wassup’s “readme.txt” file to add 2 screenshots, a FAQ section, and a changelog section. Edited description for new features and to fix some grammatical errors.
20) Modified code to improve WassUp’s overall performance and memory consumption: a) Improved load speed by separating most of Wassup’s admin functions from it’s tracker functions with an ‘is_admin()’ test. b) Reduced the number of global variables used. c) Replaced most ‘strtotime’ functions with simple arithmetic on timestamp (in seconds). ‘strtotime’ is slower and less accurate because it automatically adjusts for timezone. d) Commented-out or deleted unused or redundant functions and javascripts from Wassup to reduce Wassup’s memory footprint. These include: ’generate_calendar’…unused. ’backup_wassup’…unused. ’wassup_get_time’…redundant to ‘current_time’ in WordPress; ’go’ and ‘go2′ javascripts…unused. ’array_search_extended’…no longer used by ‘wGetSE’ e) Removed wassup meta tag from page head contents.
21) Various minor changes: 1) Renamed ‘wassup_meta_info’ function to ‘wassup_head’.

========================
Bug & Security fixes:
========================

1) Fixed (I hope) automatic blocking of “spy.js” execution by apache ”mod_security” module by renaming “spy.js” file to “spia.js”. Closes ticket #110.
2) Fixed “pagination” name conflict with other plugins by renaming pagination class to “wassup_pagination”. Closes ticket #111.
3) Fixed Wassup-detail error, “Invalid argument in foreach”, that was triggered whenever a user selected a new time range while viewing a page number that does not exist in the new range.
4) Fixed time display in chronology lists to display AM/PM time when the 12-hour option is set in wassup-options.
5) Fixed misspelling of “chronology” in javascript.
6) Fixed Google maps API signup address in “Options”. Thanks to @Bengo_matus for 1st noticing that this needed to be updated.
7) Fixed bug in uadetector” module where Win7 was erroneously identified as Win2008. Currently there is no way to distinguish Win2008 server from WinVista in browsers, so Win2008 will no longer be tracked. Note: A retroactive fix of the data affected by this bug is a part of this update.
8) Fixed bug in chart x-axis timeline and modified code to account for timezone changes implemented in WordPress 2.8.3+
9) Fixed “jQuery” compatibility problem by upgrading to version “1.4.2″ of jquery.
10) Fixed jquery “ui.tabs” plugin compatibility problem by linking directly to “jqueryui” js and css files at ‘http://ajax.googleapis.com’.
11) Fixed dashboard widget control to prevent users with insufficient permissions from seeing more than they should in the dashboard widget. Thx to etardwebcam for alerting us to this problem.
12) Fixed Italy and Ireland flag colors so that the “red” of Italy and the ”orange” of Ireland are clearly distinguishable from each other.
13) Miscellaneous minor changes and bug fixes.

Indeed I didn’t do almost anything in this release so you have to thank Helene, the co-author of WassUp, who did a wonderful job.

I’m currently finishing to test this new version but I just know you will be the best testers for it, so give me only some time to package everything and to post here the main changes and we will be able to enjoy everybody this new great work from Helene!

Stay tuned! We are releasing very soon!

Download WassUp Version 1.7.2.1

The changelog:

- commented out the code for automatic page reload with ‘wscr’ GET parameter because it inflated the number of page views per visitor in Wassup’s logs. Also commented out other code related to ‘wscr’ GET parmeter in “wassup.php”.
- modified duplicate check in “wassupappend()” to remove the ‘wscr’ argument from the url being tested.
- changed “screen_res” variable assignment in “wassup_meta_info()”, “wassupappend()” and “wassupPrepend()” to include $_ENV['HTTP_UA_PIXELS'], a http header global sometimes sent by IE and IE Mobile browsers.
- changed the mysql query for main/detail chronology sublists in “wassup()” to include an “order by ‘timestamp’” clause instead of “by ‘id’” because delayed inserts can cause ‘id’ to be NOT sequential with ‘timestamp’. Also added ‘distinct’ to the select statement to exclude duplicates from list.
- in “main.php”, removed ‘attribute_escape’ from ‘stringshortener’ $input string because it put garbage characters (ex: &#0;) in the resulting shortened urls. ‘stringshortener’ now outputs ‘$outstring’ or ‘false’ only.
- fixed czech language files

There are a lot of changes and some new languages added (thank guys! we have reached 25 language translations almost complete, you rock!).

Download WassUp Version 1.7.2

ChangeLog 1.7.2:

=============================

New features and improvements:

=============================

1) Updated Visitor Detail (Latest Hits) screen interface options:

-Extended the automatic timer and ticker to include a pause/restart

toggle option that is triggered when the mouse is clicked on the

countdown numbers.

-Modified the searchbox to restrict initial search parameters to the

current date range, not reset it to the last 24 hours.

2) Optimized how WassUp plugin functions are loaded into WordPress:

-Added a new function, “wassup_loader()”, to conditionally load WassUp

functions into WordPress so that only needed hooks are added. This

also fixes a sporadic activation error bug that appeared in some

WordPress 2.8+ configurations.

-Removed the standalone hooks for “wassupAppend” and “wassup_init”

and put them inside the “wassupPrepend()” function so that these

functions are “hooked” into WordPress only after “wassupPrepend”

determines that they are needed. This also makes it possible to pass

command-line arguments like “$cookie_value” and “$screen_res” to

these functions.

3) Modified WassUp variables and functions for consistency and to avoid

potential conflicts with other plugins:

-Renamed global “$version” variable to “$wassupversion” to avoid

potential name conflicts.

-Renamed “$siteurl” variable to “$blogurl” to avoid mixups between

WordPress admin url and the blog url because the term, “siteurl”,

is commonly used (incorrectly, IMHO) to refer to the url address of

wordpress admin files. I also made “$blogurl” a global variable.

-Renamed “createTable()” and “updateTable()” functions to

“wCreateTable()” and “wUpdateTable()” to avoid potential name

conflicts with other plugins.

4) Updated how WassUp creates and updates it’s tables after activation:

-Changed “wCreateTable()” to insert an initial “welcome to Wassup”

record in the new table when it creates it.

-Consolidated tests for default charset inclusion in the table

create/update statement into a single test command.

-Added DB_CHARSET existence to the test for charset inclusion.

-Removed the index (username,ip) from the create/update statement

because this caused a language display problem for non-romanic

languages in some WordPress configurations.

?(where table charset !== database charset)?

-Modified “wUpdateTable()” function to call “wCreateTable()” (and

‘dbDelta’ function) when updating table structure. This ensures that

the upgraded WassUp table will always have the same structure as new

installs. Previous statements that changed individual fields and

indices have been removed or commented out of “wUpdateTable()”.

5) Improved search engine lookups in “wGetSE()” and “seReferer()”:

-Added Bing to list of search engines in “wGetSE()”.

-Fixed redundant lookup of search engine data in “seReferer()” when

the data was already found in “wGetSE()”.

-Added a “break” command to terminate search engine comparison loop

instead of using “return”. This allows a page number lookup to be

done prior to function exit (return).

-Added a test to omit internal referrers from search engine lookups.

6) Changed “wassupAppend()” duplicate test to include userAgent in the

test so that page requests from a browser add-ons such as a feedreader

is not counted as a duplicate of an online page request.

7) Updated visitor screen resolution cookie and query parameter, ‘wscr’,

and added a javascript timer and function to automatically reload the

current page when a visitor has been online for 40 seconds so that

both cookie and ‘wscr’ can be seen and recorded by

“wassUpAppend()/wassupPrepend()”.

8) Updated “WassUp Options: Manage Files&Database” form and data:

-Added more WordPress/PHP/MySQL configuration settings to the list.

-Modified configuration settings in html to be an “unordered”

list (<ul><li>) instead of a series of paragraphs (<p>).

9) Added two new Wassup settings to WordPress options:

-”wassup_engine” is Wassup’s MySQL table engine type and is used to

avoid engine-related syntax errors in MySQL (ie. insert delayed).

-”wassup_table” contains the name of wassup’s table and is used to

set the variables “$table_name” and “$table_tmp_name”.

10) Added more security and sanitizing of table and forms to protect

against sql and script injection attacks:

-Wrote a new function, “wCleanURL()” in ‘main.php’ to replace

“clean_url” calls and sanitize URLS with either “clean_url()” or

“esc_url()” (WP 2.8+), depending on WordPress version.

-Added more checks to block script injections attempts disguised as

wassup query/form parameters.

11) Modified how WassUp data backup/export handles errors and sends data:

-Saved “backup_table()” errors messages in options variable

$wassup_options->wassup_alert_msg and displayed them after

“export_wassup()” terminates instead of echoing them to the screen

in middle of export.

-Replaced ‘print $sql;’ statement in “backup_table()” with a

‘return $sql;’ statement so that output is handled by the calling

function, “export_wassup()”, instead.

12) Internationalized Wassup 2.7+ dashboard widget function.

13) Improved “wGetStats()” statistics in ‘main.php’:

-Added “urlrequested” to the type of statistics output.

-Made stats results case insensitive in MySQL queries.

14) Improved “top 10″ stats output and tightened security in ‘action.php’:

-Replaced the inflexible ‘limit 10′ condition in ‘top ten’ stats with

a limit variable “$stat_limit”. Currently $stat_limit=10 but this may

be changeable by users in upcoming revisions.

-Replaced separate “urlrequested” stats query with a call to

“wGetStats()” function.

-[404] urls are no longer shown as links.

-If top 10 results count is less than 10, blank <li> statements are

padded to the output for styling consistency.

-Added a test for ‘wp-config.php’ in WordPress’ parent directory

when it is not found in the install directory (re Wassup forum post).

15) Renamed the “cache_check()” function to “wassup_foot()” to avoid

name conflicts with other plugins. Also place footer content inside a

single paragraph surrounded by html comment tags ‘<!–’ and ‘–>’ to

fix a css/float bug that showed up in some theme templates.

16) Updated “uadetector” class in ‘uadetector.class.php’ module to detect

more browsers, spiders and mobile user agents, operating systems, and

screen resolution.

17) Added more comments to code including new PHPDocumenter-style comments

ex: (/**, @package, @subpackage)

-Added a disclaimer in plugin comment and in “readme.txt” file.

-Added a requirement of WordPress 2.2 or higher in plugin description.

-Added a note about incompatibility with “Super-cache” plugin in

“readme.txt” usage section.

18) Wrote a new function, ‘microtime_float()’, to output microtime as a

float value, similar to PHP 5′s microtime(true). This is used in

WassUp timer and in the PHP profiler module (see below).

19) In Wassup development copy (unreleased), added a PHP profiler module,

‘profiler.php’ to /lib directory and included the profiler in Wassup

code when in debug mode.  This PHP profiler identifies potential code

bottlenecks that slows down WassUp.

========================

Bugs and security fixes:

========================

1) Fixed a bug in ‘main.php’ “wGetStats()” function that caused an error

whenever there are no stats to print.

2) Fixed a bug in “wassupAppend()” that caused all spam check (referrer,

previous spam) to be disabled whenever Akismet spam check was

disabled.

3) Fixed a bug in “wGetSE()” where the locale “SK” was incorrectly

appended to a search engine whenever the search domain was not in the

array of “known” search engines.

4) In “wGetLocale()” function, renamed language codes: Ko to Kr,

Da to Dk, Ur to In, and both He and Iw to Il so that they match

country codes that have an associated flag image. (Closes ticket #85)

5) Removed the index “(username,ip)” from WassUp’s table structure to fix

a language display problem in some non-romanic languages.

6) Fixed bug in Visitor detail/latest hits that caused [expand all]

and [collapse chronology] button options not to be printed when

“items-per-page” was set to an amount different from 10 or 20. (Closes

ticket #97)

7) Fixed WassUp script execution vulnerability by escaping code lines

that included “html_entity_decode” and “urldecode”. Used

“attribute_escape” as the escape function.

8) Fixed a bug in “wassup_foot()” function (formerly “cache_check”) that

caused the wassup footer line to be split up by span/div floats in

some theme templates.

9) Replaced “eregi” and “eregi_replace” functions with “stristr”,

“str_replace” or “preg_replace” because all PHP POSIX regex functions

are deprecated since PHP 5.3 and deleted since PHP 6.

For details, see http://www.php.net/manual/en/function.ereg.php

Download WassUp Version 1.7.1

The main changes are:

• RSS invalid fixed
• “string(y) “post-xxx”" error fixed
• “Illegal request permission denied” error fixed
• some little changes to fix small problems
• added a new dashboard style and data, now you can watch some “current users online” details on the dashboard.

we apologize but the new WassUp version 1.7 has a lot of bugs and issues, we are sorry but this new version has a lot of new code (as you can see on the release changelog), so we received a lot of requests and we are just fixing every bugs.

The development SVN has the new fixes yet, so if you are impatient you could take the new 1.7.1 version from this SVN:

svn co svn://svn.wpwp.org/var/svn/wassup/trunk wassup

Thanks to Alex from Automattic, we discovered a bug on the Akismet spam function, we apologize but due to this bug some of your Akismet stats could be invalid, that’s not a huge problem but you have been warned. Now we fixed it.

Some of the bugs discovered in version 1.7 could be examined from the latest forum posts, thank you all to report them.

Version 1.7.1 is coming in few hours, if you discover bugs please write us.