SQL injection vulnerability in file/stats.php in BS Counter 2.5.3 allows remote attackers to execute arbitrary SQL commands via the page parameter.