PsychoStats 3.0.6b and earlier allows remote attackers to obtain sensitive information via a request for server.php with a missing or invalid newtheme parameter, which reveals a path in an error message.
Cross-site scripting (XSS) vulnerability in hlstats.php in HLstats 1.34 allows remote attackers to inject arbitrary web script or HTML via the q parameter.
Multiple cross-site scripting (XSS) vulnerabilities in EQdkp 1.3.2c and earlier allow remote attackers to inject arbitrary web script or HTML via the show parameter to (1) listmembers.php and (2) stats.php. NOTE: some of these details are obtained from third party information.