WordPress 3dady Real-Time Web Stats Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WordPress plugin 3dady Real-Time Web Stats, version 1.0. This vulnerability allows authenticated attackers to inject malicious JavaScript into unsanitized input fields. The injected scripts are executed when the page is viewed, potentially leading to the execution of arbitrary code.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, install and activate version 1.0 of the 3dady Real-Time Web Stats WordPress plugin. Navigate to the plugin options panel and enter a JavaScript payload into either the dady_input_text or dady2_input_text fields. Save the changes, and the injected script will execute immediately, demonstrating the cross-site scripting vulnerability.