XSS Vulnerability in WP Statistics v8.4

Homepage: https://wordpress.org/plugins/wp-statistics/
Version: 8.4

Vulnerability: WP Statistics is vulnerable to stored XSS. On the “Statistics > Visitors” screen the referer link is not filtered. Malicious javascript code can be injected by anyone. The simple cURL call with a custom referer makes it possible: curl -H 'Referer: javascript:alert(location.href);' 'http://wp.dev'

Screenshot: http://imgur.com/mE7ULVp

Timeline:
2014-12-01: Published as unlisted pastebin
2014-12-01: Reported to plugins@wordpress.org