VYPR
Vendor

Metaphorcreations

Products
3
CVEs
14
Across products
14
Status
Private

Products

3

Recent CVEs

14
  • CVE-2024-3954HigMay 14, 2024
    risk 0.57cvss 8.8epss 0.01

    The Ditty plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.1.38 via deserialization of untrusted input when adding a new ditty. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object.…

  • CVE-2025-32567HigApr 11, 2025
    risk 0.55cvss 8.5epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in dev02ali Easy Post Duplicator easy-post-duplicator allows SQL Injection.This issue affects Easy Post Duplicator: from n/a through <= 1.0.1.

  • CVE-2025-32538HigApr 11, 2025
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dev02ali Easy Post Duplicator easy-post-duplicator allows Reflected XSS.This issue affects Easy Post Duplicator: from n/a through <= 1.0.1.

  • CVE-2025-60105MedSep 26, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty ditty-news-ticker allows Stored XSS.This issue affects Ditty: from n/a through <= 3.1.58.

  • CVE-2025-23816MedJan 16, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Metaphor Widgets allows Stored XSS. This issue affects Metaphor Widgets: from n/a through 2.4.

  • CVE-2025-24736MedJan 24, 2025
    risk 0.28cvss 4.3epss 0.00

    Missing Authorization vulnerability in metaphorcreations Post Duplicator post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through <= 2.35.

  • CVE-2024-12472MedJan 11, 2025
    risk 0.28cvss 4.3epss 0.00

    The Post Duplicator plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the mtphr_duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated…

  • CVE-2023-49835MedDec 9, 2024
    risk 0.28cvss 4.3epss 0.00

    Missing Authorization vulnerability in Metaphor Creations Post Duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through 2.31.

  • CVE-2025-8085Sep 8, 2025
    risk 0.01cvss epss 0.16

    The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.

  • CVE-2024-13357May 15, 2025
    risk 0.00cvss epss 0.00

    The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…

  • CVE-2024-9600Nov 21, 2024
    risk 0.00cvss epss 0.00

    The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks.

  • CVE-2024-6715Aug 23, 2024
    risk 0.00cvss epss 0.00

    The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39

  • CVE-2024-6710Aug 5, 2024
    risk 0.00cvss epss 0.00

    The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

  • CVE-2024-5575Jul 13, 2024
    risk 0.00cvss epss 0.00

    The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed