CVE-2022-50945

The WordPress 3dady Real-Time Web Stats plugin version 1.0 suffers from a stored cross-site scripting (XSS) vulnerability. The plugin fails to properly sanitize user input in the dady_input_text and dady2_input_text fields within its options panel, enabling attackers to inject malicious JavaScript code [2].

To exploit this vulnerability, an attacker must be authenticated as a WordPress user with access to the plugin's settings page (/wp-admin/admin.php?page=3dady). By entering a crafted payload, such as " autofocus onfocus=alert(/XSS/)>, into one of the vulnerable fields, the payload is stored and executed whenever the page is viewed, including by other users [2].

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or further attacks, depending on the privileges of the victim [3].

As of the latest information, no official patch has been released for this vulnerability. The plugin appears to be outdated and may no longer be maintained. Users should consider deactivating and removing the plugin, or if needed, apply a Content Security Policy (CSP) as a mitigating measure [3].