Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
The Ditty - Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve the full item content of non-public Dittys - including drafts, pending, scheduled, and disabled entries - by enumerating integer post IDs against the ditty_init AJAX endpoint. Unlike the non-AJAX init() counterpart, init_ajax() does not verify that the requested Ditty has a 'publish' post status before loading and returning its items, allowing content that administrators explicitly withheld from public view to be extracted.
AnalysisAI
Unauthorized data disclosure in the Ditty - Responsive News Tickers, Sliders, and Lists WordPress plugin (versions 0 through 3.1.65) allows unauthenticated remote attackers to retrieve the full contents of non-public Ditty entries - including drafts, pending, scheduled, and disabled posts - by enumerating integer post IDs against the ditty_init AJAX endpoint. The flaw stems from the init_ajax() handler omitting the 'publish' post status check that its non-AJAX counterpart performs, exposing content administrators deliberately withheld from public view. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
Ditty is a WordPress plugin developed by Metaphor Creations that renders news tickers, sliders, and list widgets driven by custom post type entries (Dittys). The vulnerability resides in the init_ajax() function within class-ditty-singles.php (referenced around line 220 and registered via the ditty_init AJAX action wired in class-ditty-scripts.php line 463). Unlike the synchronous init() function, which gates content loading on a 'publish' post status check, the AJAX-exposed sibling fails to apply the same authorization predicate. This is a classic CWE-862 (Missing Authorization) flaw: an access-control decision required at one code path is absent at a parallel, equally privileged entry point, so any caller - including unauthenticated visitors over admin-ajax.php - can request and receive items associated with any Ditty post ID regardless of its publication state.
RemediationAI
Upgrade the Ditty plugin to a version newer than 3.1.65 once the maintainer publishes a patched release - the references confirm the vulnerable code persists in both 3.1.64 and 3.1.65 tags (plugins.trac.wordpress.org/browser/ditty-news-ticker/tags/3.1.65/includes/class-ditty-singles.php#L220), and a patched fixed version is not independently confirmed in the supplied data, so site operators should monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/49fe8e8b-95fa-4c25-89cf-49566543206c) and the WordPress plugin repository for the next release. Until a fix ships, compensating controls include blocking unauthenticated access to /wp-admin/admin-ajax.php?action=ditty_init at the WAF or reverse proxy (note this will break legitimate front-end ticker rendering for logged-out visitors and may force authenticated-only display), temporarily deactivating the Ditty plugin on sites that stage sensitive non-published Dittys, or avoiding the use of drafts/pending/scheduled/disabled Dittys to hold confidential content while the plugin remains installed. A virtual patch via Wordfence's firewall rules (typically delivered to paid customers ahead of free users) is a practical interim mitigation.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31419
GHSA-hg7j-7v3f-fjq2