Skip to main content

Ditty Responsive News Tickers Sliders And Lists

1 CVEs product

Monthly

CVE-2026-9011 HIGH This Week

Unauthorized data disclosure in the Ditty - Responsive News Tickers, Sliders, and Lists WordPress plugin (versions 0 through 3.1.65) allows unauthenticated remote attackers to retrieve the full contents of non-public Ditty entries - including drafts, pending, scheduled, and disabled posts - by enumerating integer post IDs against the ditty_init AJAX endpoint. The flaw stems from the init_ajax() handler omitting the 'publish' post status check that its non-AJAX counterpart performs, exposing content administrators deliberately withheld from public view. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

WordPress Authentication Bypass Ditty Responsive News Tickers Sliders And Lists
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized data disclosure in the Ditty - Responsive News Tickers, Sliders, and Lists WordPress plugin (versions 0 through 3.1.65) allows unauthenticated remote attackers to retrieve the full contents of non-public Ditty entries - including drafts, pending, scheduled, and disabled posts - by enumerating integer post IDs against the ditty_init AJAX endpoint. The flaw stems from the init_ajax() handler omitting the 'publish' post status check that its non-AJAX counterpart performs, exposing content administrators deliberately withheld from public view. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

WordPress Authentication Bypass Ditty Responsive News Tickers Sliders And Lists
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy