The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
Contributors & Developers
“Search Meter” has been translated into 2 locales. Thank you to the translators for their contributions.
Restore compatibility with some older versions of PHP (probably back to 5.0).
Some fixes for text and internationalization.
Search Summary and Recent Searches can be downloaded as CSV files.
Search Meter is now set up for translation to other languages. For details, go to translate.wordpress.org. (Thanks to Christiaen François)
All stats are now displayed in the WordPress time zone, and stored in the database as UTC. Previously, they were stored and displayed in the server time zone, which was confusing. The change means that old search statistics may be out by up to 13 hours.
Updated licensing, now using GPL3.
When uninstalled, delete all options and data. (Thanks to Scott Allen)
Track searches made via ajax requests. (Thanks to tliebig)
Settings for search history size and recording duplicates can now be altered in filters. See the code for details. (Thanks to Dan Harrison)
Fixed a problem with saving hit counts. (Thanks to vrocks)
Add an option to ignore searches made by logged-in administrators, so administrators can test searches without cluttering up the search stats.
Requires WP 3.2.
Upgrade deprecated code. Minor restyling.
Ensure Search Meter can save searches even if other plugins trigger a query before the main WordPress loop.
Add a Search Meter dashboard widget.
Add Search Meter settings link on the Plugins page for convenient configuration.
Many small improvements.
Fix option for permission level, which was not being saved correctly.
Allow Search Meter to work with Multisite WordPress.
Add convenient links between Settings and Dashboard pages.
Clean up dashboard tabs and table layout.
Add Bitcoin donation address in case you’re feeling generous.
Remove another warning message.
Requires WP 2.8.
Fix problem displaying multiple-word searches in WP 3.0.
Remove notice messages when debugging.
Don’t show duplicated recent searches.
Add filter list so that search terms with certain words will not show up in recent and popular search lists.
Search links work whether or not fancy permalinks are enabled.
Administrator can decide who is allowed to see full statistics.
Requires WordPress 2.3 or later.
Use UTF8 when creating tables.
Fix PHP 5.3 incompatibility.
Widgets now conform to WordPress 2.8 standards.
Improve formatting on the Options page.
Fix database error caused by duplicate searches.
Users of Search Meter version 1 will need to deactivate and reactivate the plugin to use version 2.5.
Fix the links to the Statistics and Options pages, which broke in WordPress 2.7.
Improve widget display and add controls to specify the number of searches to show.
Add option to hide donation buttons.
Add widgets for Recent Searches and Popular Searches.
Fix table creation problem on WordPress 2.2.1.
Add donation buttons (thanks for your consideration).
Improve search count accuracy.
Add Recent Searches page and template tag.
Make search counts more accurate: correctly count multi-page searches and searches with no referer [sic].
Popular Searches tag allows number of results to be specified.