Metaphorcreations Ditty
12 CVEs affecting Metaphorcreations Ditty. Latest disclosed: 2025-09-26. Critical: 0, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-8085 | High | 8.6 | 2025-09-08 | The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors t… |
CVE-2025-60105 | Medium | 6.5 | 2025-09-26 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty ditty-news-ticker allows Stored X… |
CVE-2023-47764 | Medium | 6.5 | 2024-12-09 | Missing Authorization vulnerability in metaphorcreations Ditty ditty-news-ticker allows Exploiting Incorrectly Configured Access Control Security Levels.This i… |
CVE-2023-23874 | Medium | 6.5 | 2023-05-03 | Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Metaphor Creations Ditty plugin <= 3.0.32 versions. |
CVE-2024-6715 | Medium | 6.1 | 2024-08-23 | The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46… |
CVE-2023-4148 | Medium | 6.1 | 2023-09-25 | The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to… |
CVE-2022-0533 | Medium | 6.1 | 2022-03-07 | The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability. |
CVE-2024-6710 | Medium | 5.4 | 2024-08-05 | The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cr… |
CVE-2024-3939 | Medium | 5.4 | 2024-05-27 | The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform St… |
CVE-2024-13357 | Medium | 4.8 | 2025-05-15 | The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform S… |
CVE-2024-9600 | Medium | 4.8 | 2024-11-21 | The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform S… |
CVE-2024-5575 | Medium | 4.7 | 2024-07-13 | The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to… |