Two flaws were found in Count Per Day plugin for WordPress. An attacker may exploit them to launch XSS attack or disclose sensitive informations.
Input data passed to „map“ parameter in wp-content/plugins/count-per-day/map/map.php are not properly sanitised before being returned to a user. It allows attacker to launch arbitrary HTML and script code in user’s session context when visits crafted webpage.
Input data passed to „f“ parameter in wp-content/plugins/count-per-day/download.php are not properly verified before being used to display files. The vulnerability can be used to read files via directory traversal.
Flaws were confirmed in version 3.1. Users should upgrade to 3.1.1.

Source: Secunia
16.01.2012