Ditty

ditty

CVEs (10)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-8085 1Metaphorcreations 1Ditty Feb 9, 2026 Sep 8, 2025 N/A· v4 8.6 HIGH· v3 N/A· v2 The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
CVE-2024-13357 1Metaphorcreations 1Ditty Jun 10, 2025 May 15, 2025 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_h...Show more The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).Show less
CVE-2024-9600 1Metaphorcreations 1Ditty May 15, 2025 Nov 21, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks.
CVE-2024-6715 1Metaphorcreations 1Ditty May 17, 2025 Aug 23, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39
CVE-2024-6710 1Metaphorcreations 1Ditty Sep 5, 2024 Aug 5, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
CVE-2024-5575 1Metaphorcreations 1Ditty May 13, 2025 Jul 13, 2024 N/A· v4 4.7 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_htm...Show more The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowedShow less
CVE-2024-3939 1Metaphorcreations 1Ditty May 21, 2025 May 27, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_ht...Show more The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)Show less
CVE-2023-4148 1Metaphorcreations 1Ditty May 1, 2025 Sep 25, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against hi...Show more The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.Show less
CVE-2023-23874 1Metaphorcreations 1Ditty Nov 21, 2024 May 3, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Metaphor Creations Ditty plugin <= 3.0.32 versions.
CVE-2022-0533 1Metaphorcreations 1Ditty Nov 21, 2024 Mar 7, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability.