Just noticed this and when Googling it has been picked up already, so this isn’t new, but the wp-statistics module (v13.0.8 for sure but likely other versions too) seems to be logging information into the “wp-statistics.log” file in the root directory of the site it is installed on. You can therefore access it and in some cases read the IP addresses of visitors to a site if they have the addon enabled by visiting
You can block external access to it in the .htaccess file via:
<Files "wp-statistics.log"> Require all denied </Files>
I’ve logged an issue on their github page,
hopefully they fix this soon 2021-07-22: a fix will be pushed out this weekend according to the latest update on the issue.
A quick google dork will show up a fair number of affected sites, including some… potentially embarrassing ones.