Skip to main content

Ditty WordPress Plugin EUVDEUVD-2026-31419

| CVE-2026-9011 HIGH
Missing Authorization (CWE-862)
2026-05-22 Wordfence GHSA-hg7j-7v3f-fjq2
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 09:30 vuln.today

DescriptionCVE.org

The Ditty - Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve the full item content of non-public Dittys - including drafts, pending, scheduled, and disabled entries - by enumerating integer post IDs against the ditty_init AJAX endpoint. Unlike the non-AJAX init() counterpart, init_ajax() does not verify that the requested Ditty has a 'publish' post status before loading and returning its items, allowing content that administrators explicitly withheld from public view to be extracted.

AnalysisAI

Unauthorized data disclosure in the Ditty - Responsive News Tickers, Sliders, and Lists WordPress plugin (versions 0 through 3.1.65) allows unauthenticated remote attackers to retrieve the full contents of non-public Ditty entries - including drafts, pending, scheduled, and disabled posts - by enumerating integer post IDs against the ditty_init AJAX endpoint. The flaw stems from the init_ajax() handler omitting the 'publish' post status check that its non-AJAX counterpart performs, exposing content administrators deliberately withheld from public view. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

Ditty is a WordPress plugin developed by Metaphor Creations that renders news tickers, sliders, and list widgets driven by custom post type entries (Dittys). The vulnerability resides in the init_ajax() function within class-ditty-singles.php (referenced around line 220 and registered via the ditty_init AJAX action wired in class-ditty-scripts.php line 463). Unlike the synchronous init() function, which gates content loading on a 'publish' post status check, the AJAX-exposed sibling fails to apply the same authorization predicate. This is a classic CWE-862 (Missing Authorization) flaw: an access-control decision required at one code path is absent at a parallel, equally privileged entry point, so any caller - including unauthenticated visitors over admin-ajax.php - can request and receive items associated with any Ditty post ID regardless of its publication state.

RemediationAI

Upgrade the Ditty plugin to a version newer than 3.1.65 once the maintainer publishes a patched release - the references confirm the vulnerable code persists in both 3.1.64 and 3.1.65 tags (plugins.trac.wordpress.org/browser/ditty-news-ticker/tags/3.1.65/includes/class-ditty-singles.php#L220), and a patched fixed version is not independently confirmed in the supplied data, so site operators should monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/49fe8e8b-95fa-4c25-89cf-49566543206c) and the WordPress plugin repository for the next release. Until a fix ships, compensating controls include blocking unauthenticated access to /wp-admin/admin-ajax.php?action=ditty_init at the WAF or reverse proxy (note this will break legitimate front-end ticker rendering for logged-out visitors and may force authenticated-only display), temporarily deactivating the Ditty plugin on sites that stage sensitive non-published Dittys, or avoiding the use of drafts/pending/scheduled/disabled Dittys to hold confidential content while the plugin remains installed. A virtual patch via Wordfence's firewall rules (typically delivered to paid customers ahead of free users) is a practical interim mitigation.

Share

EUVD-2026-31419 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy