CVE-2025-8085
published 2025-09-08CVE-2025-8085: The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to…
PriorityP188high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.40%
96.6th percentile
The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| metaphorcreations | ditty | < 3.1.58 | 3.1.58 |
| yeswiki | yeswiki | >= 0 < 4.5.4 | 4.5.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the Ditty displayItems REST endpoint; no Authorization header or nonce required for versions < 3.1.57. ↗
- →In version 3.1.57 a nonce check was added but can be retrieved by any authenticated user (e.g. subscriber role), so authenticated SSRF via this endpoint should also be monitored. ↗
- →Look for POST bodies to /wp-json/dittyeditor/v1/displayItems containing an 'apiData' JSON object with a 'layouts' array using the {image default_src=...} template tag pointing to external/internal URLs — this is the SSRF trigger payload pattern. ↗
- →Fingerprint vulnerable installations by searching for the plugin path string in HTTP response bodies. ↗
- ·The vulnerable endpoint is a WordPress REST API route; ensure WAF/IDS rules target the full path /wp-json/dittyeditor/v1/displayItems and not just generic /wp-json/ traffic to avoid false positives. ↗
- ·Version 3.1.57 introduced a partial fix (nonce check) that is bypassable by any subscriber-level account; detection rules should flag exploitation attempts from low-privilege authenticated sessions as well as unauthenticated ones. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5w55-fgg7-m5gx: The Ditty WordPress plugin before 3
ghsa_unreviewed·2025-09-08
CVE-2025-8085 [HIGH] CWE-918 GHSA-5w55-fgg7-m5gx: The Ditty WordPress plugin before 3
The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
GHSA
YesWiki Vulnerable to Unauthenticated Site Backup Creation and Download
ghsa·2025-04-29
CVE-2025-46348 [CRITICAL] CWE-287 YesWiki Vulnerable to Unauthenticated Site Backup Creation and Download
YesWiki Vulnerable to Unauthenticated Site Backup Creation and Download
### Summary
The request to commence a site backup can be performed without authentication. Then these backups can also be downloaded without authentication.
The archives are created with a predictable filename, so a malicious user could create an archive and then download the archive without being authenticated.
### Details
Create an installation using the instructions found in the docker folder of the repository, setup the site, and then send the request to create an archive, which you do not need to be authenticated for:
```
POST /?api/archives HTTP/1.1
Host: localhost:8085
action=startArchive¶ms%5Bsavefiles%5D=true¶ms%5Bsavedatabase%5D=true&callAsync=true
```
Then to retrieve it, make a simple `GET` request l
GHSA
YesWiki Remote Code Execution via Arbitrary PHP File Write and Execution
ghsa·2025-04-29
CVE-2025-46347 [HIGH] CWE-116 YesWiki Remote Code Execution via Arbitrary PHP File Write and Execution
YesWiki Remote Code Execution via Arbitrary PHP File Write and Execution
### Summary
An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server.
All testing was performed on a local docker setup running the latest version of the application.
### PoC
Proof of Concept
Navigate to `http://localhost:8085/?LookWiki` which allows you to click `Create a new Graphical configuration` where you specify some parameters and then click `Save`.
After clicking save, this request is made (most headers removed for clarity):
```
POST /?api/templates/custom-presets/test.css HTTP/1.1
Host: localhost:8085
primary-color=%230c5d6a&secondary-color-1=%23d8604c&secondary-color-2=%23d78958&neutral-color=%234e5056&neu
VulnCheck
Ditty WordPress Plugin Unauthenticated Server-Side Request Forgery (SSRF)
vulncheck·2025·CVSS 8.6
CVE-2025-8085 [HIGH] Ditty WordPress Plugin Unauthenticated Server-Side Request Forgery (SSRF)
Ditty WordPress Plugin Unauthenticated Server-Side Request Forgery (SSRF)
The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
Affected: metaphorcreations ditty
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-11-14&host_type=src&vulnerability=cve-2025-8085; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-11-17&host_type=src&vulnerability=cve-2025-8085; https://dashboard.shadowserver.org/statistics/hone
No detection rules found.
Nuclei
Ditty < 3.1.58 - Server-Side Request Forgery
nuclei·CVSS 8.6
CVE-2025-8085 [HIGH] Ditty < 3.1.58 - Server-Side Request Forgery
Ditty < 3.1.58 - Server-Side Request Forgery
The plugin lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. v3.1.57 attempted to fix the issue with a nonce check, however any authenticated users, such as subscriber can retrieve it.
Template:
id: CVE-2025-8085
info:
name: Ditty < 3.1.58 - Server-Side Request Forgery
author: s4e-io
severity: high
description: |
The plugin lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. v3.1.57 attempted to fix the issue with a nonce check, however any authenticated users, such as subscriber can retrieve it.
impact: |
Unauthenticated attackers can force t
2025-09-08
Published
Exploited in the wild