I found a new xss in php-stats 0.1.9.2

http://phpstats.net/

http://www.example.com/php-stats-path/tracking.php?what=online&ip=[XSS]

Stats must have public access for this (difference from whois.php XSS).