CVE-2025-60105

Vulnerability

Overview The Ditty news ticker plugin for WordPress versions 3.1.58 and below contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during page generation [1]. This allows attackers to inject arbitrary JavaScript or HTML that is stored and executed in the context of the affected site.

Exploitation

Details An attacker with low-level authenticated access (e.g., contributor or author) can inject malicious payloads through the plugin's input fields, such as ticker content titles or settings. Once stored, the payload executes automatically when any user, including administrators, visits a page that renders the Ditty ticker [1]. No additional user interaction is required for the payload to run, though the initial injection requires a privileged user action (saving the ticker item).

Impact

Successful exploitation enables the attacker to perform a range of malicious activities: stealing session cookies, redirecting visitors to phishing or malware sites, displaying unauthorized advertisements, or defacing website content. Since the payload is persistent, it can affect every visitor until the malicious content is removed.

Mitigation

The vulnerability has been patched in Ditty version 3.1.59. Users are strongly advised to update the plugin immediately. For those who cannot update, Patchstack recommends using auto-update features or consulting with a web developer [1]. There are no known workarounds other than updating.