Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty ditty-news-ticker allows Stored XSS.This issue affects Ditty: from n/a through <= 3.1.58.
Published: 2025-09-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored Cross‑Site Scripting flaw that results from the Ditty plugin’s failure to properly neutralize user‑supplied input before rendering it in web pages. A successful exploitation allows an attacker to inject arbitrary JavaScript code that will be executed in the browsers of all visitors who load the affected page, potentially enabling session hijacking, data theft, or defacement. This weakness corresponds to CWE‑79.

Affected Systems

The issue affects the WordPress Ditty news ticker plugin from Metaphor Creations, for all releases up to and including version 3.1.58. Any site using this plugin or an earlier revision is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 6.5, the vulnerability is considered moderately severe. The EPSS score of less than 1% indicates a very low probability of exploitation at present, and it is not listed in the CISA KEV catalog. The likely attack vector involves an authenticated or unauthenticated user submitting malicious input through the plugin’s interface, which is then stored and rendered as part of the ticker output. Once the payload is in place, all visitors to the affected pages can be impacted.

Generated by OpenCVE AI on April 30, 2026 at 00:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ditty plugin to the latest version (3.1.59 or newer) to address the stored XSS flaw.
  • If an upgrade cannot be performed immediately, disable or remove the plugin from the WordPress installation to eliminate the vulnerable code path.
  • Apply input sanitization or enforce a strict Content Security Policy so that any script content injected into the ticker is blocked or neutralized before execution.

Generated by OpenCVE AI on April 30, 2026 at 00:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31295 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty allows Stored XSS. This issue affects Ditty: from n/a through 3.1.58.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty allows Stored XSS. This issue affects Ditty: from n/a through 3.1.58. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty ditty-news-ticker allows Stored XSS.This issue affects Ditty: from n/a through <= 3.1.58.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Metaphorcreations
Metaphorcreations ditty
Wordpress
Wordpress wordpress
Vendors & Products Metaphorcreations
Metaphorcreations ditty
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty allows Stored XSS. This issue affects Ditty: from n/a through 3.1.58.
Title WordPress Ditty Plugin <= 3.1.58 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Metaphorcreations Ditty
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:54.879Z

Reserved: 2025-09-25T15:20:16.565Z

Link: CVE-2025-60105

cve-icon Vulnrichment

Updated: 2025-09-26T15:05:53.981Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:36.277

Modified: 2026-04-23T15:34:13.707

Link: CVE-2025-60105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:15:23Z

Weaknesses