A critical security vulnerability CVE-2024-3939 was discovered in the WordPress plugin Ditty, which was downloaded by more than 40k users. This vulnerability exposes websites to the risk of attacks using stored cross-site scripting (XSS), which can potentially lead to account hijacking and violation of the integrity of the website. (if an attacker has previously hacked into an administrator or editor account, they can use the backdoor to restore access)

Main info:

PluginDitty < 3.1.36
All Time2 289 865
Active installations40 000+
Publicly PublishedMay 6, 2024
Last UpdatedMay 6, 2024
ResearcherArtyom Krugov
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3939/
Plugin Security Certification by CleanTalk
Logo of the plugin


March 26, 2024Plugin testing and vulnerability detection in the Ditty plugin have been completed
March 26, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
May 6, 2024Registered CVE-2024-3939

Discovery of the Vulnerability

During testing of the Ditty plugin, security researchers identified a vulnerability in the control panel’s Add New tab > Add Default section. Fields such as Content, Link, Link Title, and Label were found to be vulnerable, enabling Stored XSS attacks by injecting malicious short code into new publications. This discovery raises serious concerns about the plugin’s security posture and its impact on WordPress sites.

Understanding of Stored XSS attack’s

Stored XSS, or Persistent XSS, poses a significant risk to WordPress sites by allowing attackers to inject malicious code that persists across sessions. Examples include injecting code into form fields or comment sections, which, when executed, can lead to account hijacking, data theft, or malware distribution. In the case of Ditty, attackers can exploit this vulnerability to create a backdoor, compromising the security of affected websites..

Exploiting the Stored XSS Vulnerability

Exploiting the Stored XSS vulnerability in Ditty involves inserting malicious code into vulnerable fields, such as Content, Link, Link Title, and Label. Attackers can craft payloads containing JavaScript code to steal user cookies, redirect users to malicious sites, or perform actions on compromised accounts. Despite filtering attempts by the plugin, attackers can bypass these measures by encoding HTML characters, enabling successful exploitation of the vulnerability.


it was possible to detect a vulnerability in the control panel of the Add New tab > Add Default. There are fields in the settings that are vulnerable: Content, Link, Link Title, Lable. Payload:

"&gt;&lt;script&gt;&lt;/script&gt;&lt;img src=x onerror=alert(Malicious payload)&gt;


The exploitation of CVE-2024-3939 in Ditty poses severe risks to WordPress sites and their users. Attackers can leverage the vulnerability to launch convincing phishing attacks, compromising user accounts and website integrity. Additionally, the ability to create a backdoor through Stored XSS opens the door to further exploitation, including data exfiltration and malware distribution, leading to reputational damage and financial loss.

Recommendations for Improved Security

Website administrators and WordPress users are strongly advised to update the Ditty to the latest patched version immediately. Additionally, developers should prioritize implementing robust input validation and output sanitization mechanisms within their plugins to mitigate the risk of XSS vulnerabilities. Regular security audits and proactive monitoring can also help identify and address potential security issues before they are exploited by malicious actors.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-3939, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

Artyom k.

Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2024-3939 – Ditty – Stored XSS to JS backdoor creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *