The current version of Piwik is not affected by this vulnerability. Since version 0.5 (released December 2009), Piwik checks (and sets, if required) the MySQL connection charset to UTF-8.

Piwik users are, however, encouraged to upgrade to the latest versions of Piwik and PHP to take advantage of new features and bug fixes.

Reference: ZF2011-02: Potential SQL Injection Vector When Using PDO_MySql


Anthon Pang

- active contributor for years, Anthon has designed some some major features in Piwik such as the first version of the Javascript tracker. He still regularly advises the team.