cbcvebase.
CVE-2025-8085
published 2025-09-08

CVE-2025-8085: The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to…

PriorityP188high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.40%
96.6th percentile
The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.

Affected

2 ranges
VendorProductVersion rangeFixed in
metaphorcreationsditty< 3.1.583.1.58
yeswikiyeswiki>= 0 < 4.5.44.5.4

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /wp-json/dittyeditor/v1/displayItems
path/wp-content/plugins/ditty-news-ticker/
  • Detect unauthenticated POST requests to the Ditty displayItems REST endpoint; no Authorization header or nonce required for versions < 3.1.57.
  • In version 3.1.57 a nonce check was added but can be retrieved by any authenticated user (e.g. subscriber role), so authenticated SSRF via this endpoint should also be monitored.
  • Look for POST bodies to /wp-json/dittyeditor/v1/displayItems containing an 'apiData' JSON object with a 'layouts' array using the {image default_src=...} template tag pointing to external/internal URLs — this is the SSRF trigger payload pattern.
  • Fingerprint vulnerable installations by searching for the plugin path string in HTTP response bodies.
  • ·The vulnerable endpoint is a WordPress REST API route; ensure WAF/IDS rules target the full path /wp-json/dittyeditor/v1/displayItems and not just generic /wp-json/ traffic to avoid false positives.
  • ·Version 3.1.57 introduced a partial fix (nonce check) that is bypassable by any subscriber-level account; detection rules should flag exploitation attempts from low-privilege authenticated sessions as well as unauthenticated ones.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.