Description
WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the 3dady Real‑Time Web Stats plugin for WordPress 1.0. Unsanitized input fields named dady_input_text and dady2_input_text allow authenticated users to embed arbitrary JavaScript. When a victim visits the page where this input is rendered, the injected script runs in the context of the site, enabling attackers to steal session data, deface content, or redirect users.

Affected Systems

The vulnerability affects the WordPress plugin named 3dady Real‑Time Web Stats, version 1.0. Any WordPress installation that has this plugin installed and has users with permission to edit the plugin options is susceptible.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity; the EPSS score is not available, so exploitation probability is unknown. Attackers need an authenticated account that can modify the plugin options, typically an administrator or author level user. Once the payload is stored, it triggers on page view, so the impact is limited to browsers of users who view the page. The plug‑in is not listed in CISA’s KEV catalog, implying no widely known public exploitation at the time of this analysis.

Generated by OpenCVE AI on May 10, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update or Uninstall the 3dady Real‑Time Web Stats plugin to the latest patched version
  • If no update is available, remove the plugin from the site to eliminate the threat
  • Configure a content security policy that blocks execution of inline scripts to mitigate the impact of the stored XSS

Generated by OpenCVE AI on May 10, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared 3dady
3dady real-time Web Stats
Wordpress
Wordpress wordpress
Vendors & Products 3dady
3dady real-time Web Stats
Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed.
Title WordPress 3dady Real-Time Web Stats 1.0 Stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

3dady Real-time Web Stats
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T14:55:00.435Z

Reserved: 2026-01-11T13:34:26.331Z

Link: CVE-2022-50945

cve-icon Vulnrichment

Updated: 2026-05-11T14:54:57.476Z

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:32.267

Modified: 2026-05-10T13:16:32.267

Link: CVE-2022-50945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:59Z

Weaknesses