Description
WordPress 3dady Real-Time Web Stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross-site scripting flaw exists in the 3dady Real‑Time Web Stats plugin for WordPress 1.0. Unsanitized input fields named dady_input_text and dady2_input_text allow authenticated users to embed arbitrary JavaScript via the plugin options panel, which is executed when the page is viewed.

Affected Systems

The vulnerability affects the WordPress plugin named 3dady Real‑Time Web Stats, version 1.0. Any WordPress installation that has this plugin installed and has users with permission to edit the plugin options is susceptible.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity; the EPSS score is <1%, indicating a very low exploitation probability. Attackers need an authenticated account that can modify the plugin options, typically an administrator or author level user. Once the payload is stored, it triggers on page view, so the impact is limited to browsers of users who view the page. The plugin is not listed in CISA’s KEV catalog, implying that no widely known public exploitation exists at the time of this analysis.

Generated by OpenCVE AI on May 26, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update or Uninstall the 3dady Real‑Time Web Stats plugin to the latest patched version
  • If no update is available, remove the plugin from the site to eliminate the threat
  • Configure a content security policy that blocks execution of inline scripts to mitigate the impact of the stored XSS

Generated by OpenCVE AI on May 26, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed. WordPress 3dady Real-Time Web Stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed.

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared 3dady
3dady real-time Web Stats
Wordpress
Wordpress wordpress
Vendors & Products 3dady
3dady real-time Web Stats
Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed.
Title WordPress 3dady Real-Time Web Stats 1.0 Stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

3dady Real-time Web Stats
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T11:51:45.734Z

Reserved: 2026-01-11T13:34:26.331Z

Link: CVE-2022-50945

cve-icon Vulnrichment

Updated: 2026-05-11T14:54:57.476Z

cve-icon NVD

Status : Deferred

Published: 2026-05-10T13:16:32.267

Modified: 2026-05-26T14:16:25.897

Link: CVE-2022-50945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T14:45:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')