PatchSiren

PatchSiren cyber security CVE debrief

CVE-2022-50945 Profiles CVE debrief

CVE-2022-50945 is a stored cross-site scripting issue in the WordPress 3dady real-time web stats plugin 1.0. According to the supplied record, an authenticated attacker can place malicious JavaScript into unsanitized option-panel fields, and the payload executes when the affected page is later viewed. The NVD metadata classifies the weakness as CWE-79 and lists a CVSS v4.0 base score of 5.1 (MEDIUM).

Vendor
Profiles
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-10
Original CVE updated
2026-05-10
Advisory published
2026-05-10
Advisory updated
2026-05-10

Who should care

WordPress site administrators, plugin maintainers, and security teams managing sites that have the 3dady real-time web stats plugin installed or historically installed. This matters most where authenticated accounts can access the plugin options panel or where stored content is rendered to other users.

Technical summary

The vulnerability is a stored XSS condition. The source description says JavaScript can be injected through the dady_input_text or dady2_input_text fields in the plugin options panel because input is not sanitized before storage or later rendering. The supplied CVSS vector indicates a network-reachable issue with low attack complexity, low privileges required, and user interaction needed.

Defensive priority

Medium priority. Stored XSS can lead to session theft, admin action hijacking, or malicious page content delivery, especially on sites with multiple users or privileged dashboards. Priority increases if the plugin is installed on production WordPress sites.

Recommended defensive actions

  • Inventory WordPress installations for the 3dady real-time web stats plugin 1.0 and remove it if it is not required.
  • If the plugin is needed, check whether a vendor fix or safe replacement exists before re-enabling it.
  • Review stored values in the plugin options fields referenced by the advisory and remove suspicious script-like content.
  • Limit access to the plugin options panel to trusted administrators only.
  • Review WordPress administrator and editor accounts for unexpected changes after potential exposure.
  • Use standard WordPress hardening measures, including least-privilege access and monitoring for unexpected script execution in rendered pages.

Evidence notes

The supplied CVE description states that authenticated attackers can exploit unsanitized input fields in the plugin options panel to inject JavaScript into dady_input_text or dady2_input_text. The NVD metadata supplied with the record identifies the weakness as CWE-79 and provides CVSS v4.0 vector details consistent with a stored XSS flaw. The source item also references a VulnCheck advisory and supporting links.

Official resources

Use the supplied CVE/NVD publication timestamp for timing context: 2026-05-10T13:16:32.267Z. The source item cites a VulnCheck advisory and related references; this debrief relies only on the supplied record and linked official sources.