This page lists publicly disclosed CVE vulnerabilities affecting metaphorcreations ditty (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-8085 | The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. | [email protected] | 8.6 | 16.40% | 2025-09-08 | 2026-06-17 |
| CVE-2024-13357 | The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | [email protected] | 4.8 | 0.27% | 2025-05-15 | 2026-06-17 |
| CVE-2024-9600 | The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks. | [email protected] | 4.8 | 0.36% | 2024-11-21 | 2026-06-17 |
| CVE-2024-6715 | The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39 | [email protected] | 6.1 | 0.32% | 2024-08-23 | 2026-06-17 |
| CVE-2024-6710 | The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. | [email protected] | 5.4 | 0.33% | 2024-08-05 | 2026-06-17 |
| CVE-2024-5575 | The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | [email protected] | 4.7 | 0.41% | 2024-07-13 | 2026-06-17 |
| CVE-2024-3939 | The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | [email protected] | 5.4 | 0.40% | 2024-05-27 | 2026-06-17 |
| CVE-2023-4148 | The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | [email protected] | 6.1 | 0.81% | 2023-09-25 | 2026-06-17 |
| CVE-2023-23874 | Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Metaphor Creations Ditty plugin <= 3.0.32 versions. | [email protected] | 6.5 | 0.39% | 2023-05-03 | 2026-06-17 |
| CVE-2022-0533 | The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability. | [email protected] | 6.1 | 1.86% | 2022-03-07 | 2026-06-17 |