Unknown Ditty vulnerabilities

8 known vulnerabilities affecting unknown/ditty.

Total CVEs
8
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM7

Vulnerabilities

Page 1 of 1
CVE-2025-8085HIGHCVSS 8.6PoCfixed in 3.1.582025-09-08
CVE-2025-8085 [HIGH] CWE-918 CVE-2025-8085: The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
cvelistv5nvd
CVE-2024-13357MEDIUMCVSS 4.8fixed in 3.1.522025-05-15
CVE-2024-13357 [MEDIUM] CWE-79 CVE-2024-13357: The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which c The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
cvelistv5nvd
CVE-2024-9600MEDIUMCVSS 4.8fixed in 3.1.472024-11-21
CVE-2024-9600 [MEDIUM] CWE-79 CVE-2024-9600: The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which c The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks.
cvelistv5nvd
CVE-2024-6715MEDIUMCVSS 6.1≥ 3.1.39, < 3.1.462024-08-23
CVE-2024-6715 [MEDIUM] CWE-79 CVE-2024-6715: The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://w The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39
cvelistv5nvd
CVE-2024-6710MEDIUMCVSS 5.4fixed in 3.1.452024-08-05
CVE-2024-6710 [MEDIUM] CWE-79 CVE-2024-6710: The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
cvelistv5nvd
CVE-2024-5575MEDIUMCVSS 4.7fixed in 3.1.432024-07-13
CVE-2024-5575 [MEDIUM] CWE-79 CVE-2024-5575: The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
cvelistv5nvd
CVE-2024-3939MEDIUMCVSS 5.4fixed in 3.1.362024-05-27
CVE-2024-3939 [MEDIUM] CWE-79 CVE-2024-3939: The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which c The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
cvelistv5nvd
CVE-2023-4148MEDIUMCVSS 6.1PoCfixed in 3.1.252023-09-25
CVE-2023-4148 [MEDIUM] CWE-79 CVE-2023-4148: The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
cvelistv5nvd