Leaderboard

They are the winners from the last edition of DefCamp Capture the Flag (D-CTF) competition. Wondering how your name could get on the D-CTF 2022 leaderboard (win prizes totaling EUR 4,500 & get free tickets to DefCamp 2022)? Just follow these 3 easy steps: 1. Get your team together & register for the D-CTF 2022 Qualifications - not to put any pressure, but there is only one week left! 😱 WHEN? Starting September 30th, 09.00 UTC Until October 1st, 15.00 UTC WHERE? Online, on CyberEDU.ro Register: https://dctf22-quals.cyberedu.ro/ 2. Hack before getting hacked & make it in the top 10 shortlist that will be attending the finals during the DefCamp conference in Bucharest. P.S. Up to 5 teams from Romania will also be invited in the final. 3. Join us at DefCamp on November 10-11 in Bucharest & do your absolute best in the D-CTF 2022 finals! Register: https://dctf22-quals.cyberedu.ro/ See you soon! The DefCamp team

# Exploit Title: Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS) # Google Dork: inurl:/wp-content/plugins/3dady-real-time-web-stats/ # Date: 2022-08-24 # Exploit Author: UnD3sc0n0c1d0 # Vendor Homepage: https://profiles.wordpress.org/3dady/ # Software Link: https://downloads.wordpress.org/plugin/3dady-real-time-web-stats.zip # Category: Web Application # Version: 1.0 # Tested on: Debian / WordPress 6.0.1 # CVE : N/A # 1. Technical Description: The 3dady real-time web stats WordPress plugin is vulnerable to stored XSS. Specifically in the dady_input_text and dady2_input_text fields because the user's input is not properly sanitized which allows the insertion of JavaScript code that can exploit the vulnerability. # 2. Proof of Concept (PoC): a. Install and activate version 1.0 of the plugin. b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=3dady). c. Insert the following payload in any of the visible fields (dady_input_text or dady2_input_text): " autofocus onfocus=alert(/XSS/)> d. Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed. Note: This change will be permanent until you modify the edited fields. Source: https://www.exploit-db.com/exploits/51021