CVE-2026-9011
Description
The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve the full item content of non-public Dittys — including drafts, pending, scheduled, and disabled entries — by enumerating integer post IDs against the ditty_init AJAX endpoint. Unlike the non-AJAX init() counterpart, init_ajax() does not verify that the requested Ditty has a 'publish' post status before loading and returning its items, allowing content that administrators explicitly withheld from public view to be extracted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated attackers can retrieve non-public Ditty content via AJAX endpoint due to missing authorization check in plugin versions up to 3.1.65.
Vulnerability
The Ditty plugin for WordPress includes an AJAX endpoint ditty_init implemented in init_ajax() in class-ditty-singles.php [1][2]. Unlike the non-AJAX init() function, init_ajax() does not verify that the requested Ditty post has a publish post status before returning its items [1][2]. This allows any post status—including draft, pending, future, or disabled—to be returned. The issue affects all versions up to and including 3.1.65 [3][4].
Exploitation
An unauthenticated attacker can send a POST request to the ditty_init AJAX action with a numeric id parameter. By enumerating integer post IDs, the attacker can retrieve the full item content of any Ditty, regardless of its intended visibility. No authentication or user interaction is required.
Impact
Successful exploitation leads to information disclosure of non-public Ditty entries, including drafts, pending, scheduled, and disabled content. The attacker gains access to the full item data without any privileges, potentially exposing sensitive information that administrators intended to keep hidden.
Mitigation
As of the publication date (2026-05-22), a patched version has not been explicitly announced in the provided references. Users should update to the latest version of the plugin as soon as a fix is available. Meanwhile, disabling the ditty_init AJAX endpoint via a WordPress plugin or custom code may serve as a temporary workaround.
- https://plugins.trac.wordpress.org/browser/ditty-news-ticker/tags/3.1.64/includes/class-ditty-singles.php#L220
- https://plugins.trac.wordpress.org/browser/ditty-news-ticker/tags/3.1.64/includes/class-ditty-singles.php#L33
- https://plugins.trac.wordpress.org/browser/ditty-news-ticker/tags/3.1.65/includes/class-ditty-singles.php#L33
- https://plugins.trac.wordpress.org/browser/ditty-news-ticker/tags/3.1.65/includes/class-ditty-singles.php#L220
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=3.1.65
- Range: <=3.1.65
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- plugins.trac.wordpress.org/browser/ditty-news-ticker/tags/3.1.64/includes/class-ditty-scripts.phpnvd
- plugins.trac.wordpress.org/browser/ditty-news-ticker/tags/3.1.64/includes/class-ditty-singles.phpnvd
- plugins.trac.wordpress.org/browser/ditty-news-ticker/tags/3.1.64/includes/class-ditty-singles.phpnvd
- plugins.trac.wordpress.org/browser/ditty-news-ticker/tags/3.1.65/includes/class-ditty-scripts.phpnvd
- plugins.trac.wordpress.org/browser/ditty-news-ticker/tags/3.1.65/includes/class-ditty-singles.phpnvd
- plugins.trac.wordpress.org/browser/ditty-news-ticker/tags/3.1.65/includes/class-ditty-singles.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/49fe8e8b-95fa-4c25-89cf-49566543206cnvd
News mentions
0No linked articles in our index yet.