Vulnerabilities and security researches forditty-news-ticker ditty-news-ticker

Oct 11, 2025

CVE, Research URL: CVE-2025-60105
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: Sep 26, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty allows Stored XSS. This issue affects Ditty: from n/a through 3.1.58.
Affected versions: max 3.1.58.
Status: vulnerable

May 13, 2025

CVE, Research URL: CVE-2024-13357
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: May 16, 2025
Research Description: The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: max 3.1.52.
Status: vulnerable

Nov 17, 2024

CVE, Research URL: CVE-2024-9600
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: Nov 21, 2024
Research Description: The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks.
Affected versions: max 3.1.47.
Status: vulnerable

Aug 25, 2024

CVE, Research URL: CVE-2024-6715
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: Aug 23, 2024
Research Description: The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39
Affected versions: max 3.1.46.
Status: vulnerable

Aug 07, 2024

CVE, Research URL: CVE-2024-6710
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: Aug 05, 2024
Research Description: The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
Affected versions: max 3.1.45.
Status: vulnerable

Jul 13, 2024

CVE, Research URL: CVE-2024-5575
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: Jul 13, 2024
Research Description: The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Affected versions: max 3.1.43.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2023-47764
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: Dec 09, 2024
Research Description: Missing Authorization vulnerability in Metaphor Creations Ditty allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ditty: from n/a through 3.1.24.
Affected versions: max 3.1.25.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2023-23874
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: May 03, 2023
Research Description: Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Metaphor Creations Ditty plugin <= 3.0.32 versions.
Affected versions: max 3.0.33.
Status: vulnerable

CVE, Research URL: CVE-2023-4148
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: Sep 25, 2023
Research Description: The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Affected versions: max 3.1.25.
Status: vulnerable

CVE, Research URL: CVE-2024-32569
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: Apr 18, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metaphor Creations Ditty allows Stored XSS.This issue affects Ditty: from n/a through 3.1.31.
Affected versions: max 3.1.32.
Status: vulnerable

CVE, Research URL: CVE-2022-0533
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: Mar 07, 2022
Research Description: The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability.
Affected versions: max 3.0.15.
Status: vulnerable

CVE, Research URL: CVE-2024-3954
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: May 14, 2024
Research Description: The Ditty plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.1.38 via deserialization of untrusted input when adding a new ditty. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Affected versions: max 3.1.39.
Status: vulnerable

CVE, Research URL: CVE-2024-3939
Home page URL: Security reports for Ditty – Responsive News Tickers, Sliders, and Lists
Application: Ditty – Responsive News Tickers, Sliders, and Lists
Date: May 27, 2024
Research Description: The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: max 3.1.36.
Status: vulnerable