# Exploit Title: Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS)  
# Google Dork: inurl:/wp-content/plugins/3dady-real-time-web-stats/  
# Date: 2022-08-24  
# Exploit Author: UnD3sc0n0c1d0  
# Vendor Homepage:  
# Software Link:  
# Category: Web Application  
# Version: 1.0  
# Tested on: Debian / WordPress 6.0.1  
# CVE : N/A  
# 1. Technical Description:  
The 3dady real-time web stats WordPress plugin is vulnerable to stored XSS. Specifically in the dady_input_text   
and dady2_input_text fields because the user's input is not properly sanitized which allows the insertion of   
JavaScript code that can exploit the vulnerability.  
# 2. Proof of Concept (PoC):  
a. Install and activate version 1.0 of the plugin.  
b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=3dady).  
c. Insert the following payload in any of the visible fields (dady_input_text or dady2_input_text):  
" autofocus onfocus=alert(/XSS/)>  
d. Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed.  
Note: This change will be permanent until you modify the edited fields.