Description
The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve the full item content of non-public Dittys — including drafts, pending, scheduled, and disabled entries — by enumerating integer post IDs against the ditty_init AJAX endpoint. Unlike the non-AJAX init() counterpart, init_ajax() does not verify that the requested Ditty has a 'publish' post status before loading and returning its items, allowing content that administrators explicitly withheld from public view to be extracted.
Published: 2026-05-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress contains an authorization bypass flaw in versions 3.1.65 and earlier. The flaw lies in the ditty_init AJAX endpoint, which fails to verify that the requested Ditty has a 'publish' status before loading and returning its items. As a result, unauthenticated users can enumerate post IDs and retrieve the full content of drafts, pending, scheduled, and disabled entries that are otherwise hidden from public view. This leads to direct exposure of sensitive content that administrators intended to keep private.

Affected Systems

The vulnerability affects all versions of the Ditty plugin up to and including 3.1.65. The plugin is distributed under the vendor name metaphorcreations, specifically the product Ditty – Responsive News Tickers, Sliders, and Lists. Any user running any of these affected releases faces risk.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. The EPSS score is not available, but the lack of a listing in CISA’s KEV catalog implies no confirmed exploitation yet. Nonetheless, the flaw is easy to exploit by simply sending requests to the ditty_init AJAX action with incremental post IDs, requiring no authentication. An attacker with basic network access can retrieve private content, potentially compromising confidentiality. Immediate attention is warranted until a patched release is applied.

Generated by OpenCVE AI on May 22, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ditty plugin to the latest version that contains the fix.
  • Block unauthenticated requests to the ditty_init AJAX action by configuring the web‑application firewall or by adding a rule to WordPress that allows only authenticated users to invoke this action.
  • If an upgrade is not immediately possible, remove or disable any plugins or custom code that exposes the ditty_init endpoint to public users.
  • Monitor access logs for repeated attempts to enumerate post IDs on the ditty_init endpoint and investigate any suspicious activity.

Generated by OpenCVE AI on May 22, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Metaphorcreations
Metaphorcreations ditty – Responsive News Tickers, Sliders, And Lists
Wordpress
Wordpress wordpress
Vendors & Products Metaphorcreations
Metaphorcreations ditty – Responsive News Tickers, Sliders, And Lists
Wordpress
Wordpress wordpress

Fri, 22 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve the full item content of non-public Dittys — including drafts, pending, scheduled, and disabled entries — by enumerating integer post IDs against the ditty_init AJAX endpoint. Unlike the non-AJAX init() counterpart, init_ajax() does not verify that the requested Ditty has a 'publish' post status before loading and returning its items, allowing content that administrators explicitly withheld from public view to be extracted.
Title Ditty <= 3.1.65 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via ditty_init AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Metaphorcreations Ditty – Responsive News Tickers, Sliders, And Lists
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-23T02:29:34.538Z

Reserved: 2026-05-19T14:12:28.468Z

Link: CVE-2026-9011

cve-icon Vulnrichment

Updated: 2026-05-23T02:28:55.507Z

cve-icon NVD

Status : Received

Published: 2026-05-22T09:16:33.327

Modified: 2026-05-22T09:16:33.327

Link: CVE-2026-9011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:37:52Z

Weaknesses