Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-09
CVE-2025-8085 - Ditty Plugin
The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
PLUGIN
Ditty
CVE-2025-8085
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-13357 - Ditty Plugin
The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ditty
CVE-2024-13357
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9600 - Ditty Plugin
The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks.
PLUGIN
Ditty
CVE-2024-9600
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-6715 - Ditty Plugin
The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39
PLUGIN
Ditty
CVE-2024-6715
Risk Score
Threat Entry
Updated 2024-09-05
CVE-2024-6710 - Ditty Plugin
The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
PLUGIN
Ditty
CVE-2024-6710
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-5575 - Ditty Plugin
The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Ditty
CVE-2024-5575
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-3939 - Ditty Plugin
The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Ditty
CVE-2024-3939
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3954 - Ditty Plugin
The Ditty plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.1.38 via deserialization of untrusted input when adding a new ditty. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Ditty
CVE-2024-3954
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2023-4148 - Ditty Plugin
The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Ditty
CVE-2023-4148
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0533 - Ditty Plugin
The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability.
PLUGIN
Ditty
CVE-2022-0533
Risk Score