CVE-2022-50945
Deferred Deferred - Pending Action
Stored XSS in 3dady Real-Time Web Stats WordPress Plugin

Publication date: 2026-05-10

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-26
Generated
2026-06-21
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-20
NVD
CVE-2022-50945
EUVD
EUVD-2022-55970
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
3dady real-time_web_stats_plugin 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress 3dady real-time web stats plugin version 1.0 contains a stored cross-site scripting (XSS) vulnerability. This flaw allows authenticated attackers to inject malicious JavaScript code into unsanitized input fields within the plugin's options panel.

Specifically, attackers can insert JavaScript payloads into the dady_input_text or dady2_input_text fields. When the affected page is viewed, the injected script executes arbitrary code, leading to a persistent XSS attack.

Impact Analysis

This vulnerability can allow an authenticated attacker to execute arbitrary JavaScript code in the context of the affected website. This can lead to unauthorized actions such as stealing user session cookies, defacing the website, redirecting users to malicious sites, or performing actions on behalf of legitimate users.

Because the attack is stored, the malicious script persists and executes every time the vulnerable page is loaded until the injected fields are manually cleaned.

Detection Guidance

This vulnerability can be detected by checking the values of the plugin's input fields "dady_input_text" and "dady2_input_text" in the WordPress 3dady real-time web stats plugin options panel for any injected JavaScript payloads.

Since the vulnerability involves stored cross-site scripting via these fields, you can manually inspect these fields in the plugin settings for suspicious scripts such as payloads containing "autofocus onfocus=alert(/XSS/)>" or other JavaScript code.

There are no specific network commands provided in the resources, but detection involves reviewing the plugin options panel inputs for malicious scripts.

Mitigation Strategies

Immediate mitigation steps include removing or sanitizing any malicious JavaScript code injected into the "dady_input_text" and "dady2_input_text" fields in the plugin options panel.

Since the vulnerability requires authenticated access, restricting access to the plugin options panel to trusted users can reduce risk.

Additionally, consider disabling or uninstalling the vulnerable 3dady real-time web stats plugin version 1.0 until a patched version is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50945. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart