CVE-2022-50945
Stored XSS in 3dady Real-Time Web Stats WordPress Plugin
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 3dady | real-time_web_stats_plugin | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WordPress 3dady real-time web stats plugin version 1.0 contains a stored cross-site scripting (XSS) vulnerability. This flaw allows authenticated attackers to inject malicious JavaScript code into unsanitized input fields within the plugin's options panel.
Specifically, attackers can insert JavaScript payloads into the dady_input_text or dady2_input_text fields. When the affected page is viewed, the injected script executes arbitrary code, leading to a persistent XSS attack.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to execute arbitrary JavaScript code in the context of the affected website. This can lead to unauthorized actions such as stealing user session cookies, defacing the website, redirecting users to malicious sites, or performing actions on behalf of legitimate users.
Because the attack is stored, the malicious script persists and executes every time the vulnerable page is loaded until the injected fields are manually cleaned.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the values of the plugin's input fields "dady_input_text" and "dady2_input_text" in the WordPress 3dady real-time web stats plugin options panel for any injected JavaScript payloads.
Since the vulnerability involves stored cross-site scripting via these fields, you can manually inspect these fields in the plugin settings for suspicious scripts such as payloads containing "autofocus onfocus=alert(/XSS/)>" or other JavaScript code.
There are no specific network commands provided in the resources, but detection involves reviewing the plugin options panel inputs for malicious scripts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or sanitizing any malicious JavaScript code injected into the "dady_input_text" and "dady2_input_text" fields in the plugin options panel.
Since the vulnerability requires authenticated access, restricting access to the plugin options panel to trusted users can reduce risk.
Additionally, consider disabling or uninstalling the vulnerable 3dady real-time web stats plugin version 1.0 until a patched version is available.