Metaphorcreations

metaphorcreations

15 CVEs • 2 products

Products (2)

Click to collapse

Toggle

Post Duplicator

post_duplicator

CVEs (15)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-8085 1Metaphorcreations 1Ditty Feb 9, 2026 Sep 8, 2025 N/A· v4 8.6 HIGH· v3 N/A· v2 The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
CVE-2024-13357 1Metaphorcreations 1Ditty Jun 10, 2025 May 15, 2025 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_h...Show more The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).Show less
CVE-2025-24736 1Metaphorcreations 1Post Duplicator Apr 23, 2026 Jan 24, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Missing Authorization vulnerability in metaphorcreations Post Duplicator post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through <= 2.3...Show more Missing Authorization vulnerability in metaphorcreations Post Duplicator post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through <= 2.35.Show less
CVE-2024-12472 1Metaphorcreations 1Post Duplicator Apr 8, 2026 Jan 11, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Post Duplicator plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the mtphr_duplicate_post() function due to insufficient restrictions on which posts can be dup...Show more The Post Duplicator plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the mtphr_duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to by duplicating the post.Show less
CVE-2023-49835 1Metaphorcreations 1Post Duplicator Apr 28, 2026 Dec 9, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Missing Authorization vulnerability in Metaphor Creations Post Duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through 2.31.
CVE-2024-9600 1Metaphorcreations 1Ditty May 15, 2025 Nov 21, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks.
CVE-2024-6715 1Metaphorcreations 1Ditty May 17, 2025 Aug 23, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39
CVE-2024-6710 1Metaphorcreations 1Ditty Sep 5, 2024 Aug 5, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
CVE-2024-5575 1Metaphorcreations 1Ditty May 13, 2025 Jul 13, 2024 N/A· v4 4.7 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_htm...Show more The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowedShow less
CVE-2024-3939 1Metaphorcreations 1Ditty May 21, 2025 May 27, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_ht...Show more The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)Show less
CVE-2023-4148 1Metaphorcreations 1Ditty May 1, 2025 Sep 25, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against hi...Show more The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.Show less
CVE-2023-23874 1Metaphorcreations 1Ditty Nov 21, 2024 May 3, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Metaphor Creations Ditty plugin <= 3.0.32 versions.
CVE-2016-15027 1Metaphorcreations 1Post Duplicator Nov 21, 2024 Feb 20, 2023 N/A· v4 6.1 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability was found in meta4creations Post Duplicator Plugin 2.18 on WordPress. It has been classified as problematic. Affected is the function mtphr_post_duplicator_notice of the file includes/notices.php. The man...Show more A vulnerability was found in meta4creations Post Duplicator Plugin 2.18 on WordPress. It has been classified as problematic. Affected is the function mtphr_post_duplicator_notice of the file includes/notices.php. The manipulation of the argument post-duplicated leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.19 is able to address this issue. The name of the patch is ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221496.Show less
CVE-2021-33852 1Metaphorcreations 1Post Duplicator Nov 21, 2024 Mar 10, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Duplicate Title" text box execu...Show more A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Duplicate Title" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts.Show less
CVE-2022-0533 1Metaphorcreations 1Ditty Nov 21, 2024 Mar 7, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability.