Wordpress plugin 3dady realtime web stats 1.0 stored cross site scripting (xss) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2022-09-23 |
Type : webapps |
Platform : php
This exploit / vulnerability Wordpress plugin 3dady realtime web stats 1.0 stored cross site scripting (xss) is for educational purposes only and if it is used you will do on your own risk!
# 1. Technical Description:
The 3dady real-time web stats WordPress plugin is vulnerable to stored XSS. Specifically in the dady_input_text
and dady2_input_text fields because the user's input is not properly sanitized which allows the insertion of
JavaScript code that can exploit the vulnerability.
# 2. Proof of Concept (PoC):
a. Install and activate version 1.0 of the plugin.
b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=3dady).
c. Insert the following payload in any of the visible fields (dady_input_text or dady2_input_text):
" autofocus onfocus=alert(/XSS/)>
d. Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed.
Note: This change will be permanent until you modify the edited fields.
Wordpress plugin 3dady realtime web stats 1.0 stored cross site scripting (xss)