VYPR

Ditty

by WordPress

CVEs (11)

  • CVE-2026-9011HigMay 22, 2026
    risk 0.49cvss 7.5epss 0.00

    The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it…

  • CVE-2024-32569MedApr 18, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metaphor Creations Ditty allows Stored XSS.This issue affects Ditty: from n/a through 3.1.31.

  • CVE-2023-23874MedMay 3, 2023
    risk 0.42cvss 6.5epss 0.00

    Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Metaphor Creations Ditty plugin <= 3.0.32 versions.

  • CVE-2023-4148MedSep 25, 2023
    risk 0.40cvss 6.1epss 0.01

    The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

  • CVE-2022-0533MedMar 7, 2022
    risk 0.33cvss 6.1epss 0.02

    The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability.

  • CVE-2025-8085Sep 8, 2025
    risk 0.01cvss epss 0.16

    The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.

  • CVE-2024-13357May 15, 2025
    risk 0.00cvss epss 0.00

    The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…

  • CVE-2024-9600Nov 21, 2024
    risk 0.00cvss epss 0.00

    The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks.

  • CVE-2024-6715Aug 23, 2024
    risk 0.00cvss epss 0.00

    The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39

  • CVE-2024-6710Aug 5, 2024
    risk 0.00cvss epss 0.00

    The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

  • CVE-2024-5575Jul 13, 2024
    risk 0.00cvss epss 0.00

    The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed