Search
Search Results (14 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-9011 | 2 Metaphorcreations, Wordpress | 2 Ditty – Responsive News Tickers, Sliders, And Lists, Wordpress | 2026-05-22 | 7.5 High |
| The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve the full item content of non-public Dittys — including drafts, pending, scheduled, and disabled entries — by enumerating integer post IDs against the ditty_init AJAX endpoint. Unlike the non-AJAX init() counterpart, init_ajax() does not verify that the requested Ditty has a 'publish' post status before loading and returning its items, allowing content that administrators explicitly withheld from public view to be extracted. | ||||
| CVE-2023-47764 | 1 Metaphorcreations | 1 Ditty | 2026-04-29 | 6.5 Medium |
| Missing Authorization vulnerability in metaphorcreations Ditty ditty-news-ticker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ditty: from n/a through <= 3.1.24. | ||||
| CVE-2024-32569 | 1 Metaphorcreations | 1 Ditty | 2026-04-28 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metaphor Creations Ditty allows Stored XSS.This issue affects Ditty: from n/a through 3.1.31. | ||||
| CVE-2025-60105 | 2 Metaphorcreations, Wordpress | 2 Ditty, Wordpress | 2026-04-23 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty ditty-news-ticker allows Stored XSS.This issue affects Ditty: from n/a through <= 3.1.58. | ||||
| CVE-2025-8085 | 2 Metaphorcreations, Wordpress | 2 Ditty, Wordpress | 2026-02-09 | 8.6 High |
| The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. | ||||
| CVE-2024-13357 | 1 Metaphorcreations | 1 Ditty | 2025-06-10 | 4.8 Medium |
| The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-3939 | 1 Metaphorcreations | 1 Ditty | 2025-05-21 | 5.4 Medium |
| The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-6715 | 1 Metaphorcreations | 1 Ditty | 2025-05-17 | 6.1 Medium |
| The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39 | ||||
| CVE-2024-9600 | 1 Metaphorcreations | 1 Ditty | 2025-05-15 | 4.8 Medium |
| The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-5575 | 1 Metaphorcreations | 1 Ditty | 2025-05-13 | 4.7 Medium |
| The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | ||||
| CVE-2023-4148 | 1 Metaphorcreations | 1 Ditty | 2025-05-01 | 6.1 Medium |
| The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2023-23874 | 1 Metaphorcreations | 1 Ditty | 2025-01-09 | 6.5 Medium |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Metaphor Creations Ditty plugin <= 3.0.32 versions. | ||||
| CVE-2022-0533 | 1 Metaphorcreations | 1 Ditty | 2024-11-21 | 6.1 Medium |
| The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability. | ||||
| CVE-2024-6710 | 1 Metaphorcreations | 1 Ditty | 2024-09-05 | 5.4 Medium |
| The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. | ||||
Page 1 of 1.