Metaphorcreations Ditty vulnerabilities

CVE-2025-60105 CWE-79 CVE-2025-60105: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty ditty-news-ticker allows Stored XSS.This issue affects Ditty: from n/a through <= 3.1.58.

CVE-2025-8085 [HIGH] CWE-918 CVE-2025-8085: The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.

CVE-2024-13357 [MEDIUM] CWE-79 CVE-2024-13357: The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which c The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2024-9600 [MEDIUM] CWE-79 CVE-2024-9600: The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which c The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks.

CVE-2024-6715 [MEDIUM] CWE-79 CVE-2024-6715: The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://w The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39

CVE-2024-6710 [MEDIUM] CWE-79 CVE-2024-6710: The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

CVE-2024-5575 [MEDIUM] CWE-79 CVE-2024-5575: The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

CVE-2024-3939 [MEDIUM] CWE-79 CVE-2024-3939: The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which c The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-4148 [MEDIUM] CWE-79 CVE-2023-4148: The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVE-2023-23874 [MEDIUM] CWE-79 CVE-2023-23874: Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Metaphor Creations Ditty plu Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Metaphor Creations Ditty plugin <= 3.0.32 versions.

CVE-2022-0533 [MEDIUM] CWE-79 CVE-2022-0533: The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cro The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability.