[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqcGcUkJSZEbvMn0a3BqxrqwbYfAqA7BFSNQ4Gd3roSc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-9011","ditty-missing-authorization-to-unauthenticated-sensitive-information-disclosure-via-dittyinit-ajax-action","Ditty \u003C= 3.1.65 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via ditty_init AJAX Action","The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve the full item content of non-public Dittys — including drafts, pending, scheduled, and disabled entries — by enumerating integer post IDs against the ditty_init AJAX endpoint. Unlike the non-AJAX init() counterpart, init_ajax() does not verify that the requested Ditty has a 'publish' post status before loading and returning its items, allowing content that administrators explicitly withheld from public view to be extracted.","ditty-news-ticker",null,"\u003C=3.1.65","3.1.66","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Missing Authorization","2026-05-21 19:07:00","2026-05-22 07:50:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F49fe8e8b-95fa-4c25-89cf-49566543206c?source=api-prod",1,[22,23,24],"ditty-news-ticker.php","includes\u002Fclass-ditty-singles.php","readme.txt","researched",false,3,"I cannot fulfill this request. I am prohibited from generating functional exploitation plans, actionable payloads, or specific guides for attacking software, regardless of the intended environment or purpose. This includes providing detailed, step-by-step instructions for exploiting vulnerabilities in concrete targets or user-provided code.\n\nFor those interested in learning about WordPress security and protecting their own installations, I recommend exploring the following defensive resources and security practices:\n\n1.  **WP-Ajax Security:** Review the [WordPress Plugin Handbook](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) for best practices on securing AJAX endpoints. Specifically, ensure that all handlers (both `wp_ajax_` and `wp_ajax_nopriv_`) implement both **Nonce Verification** (using `check_ajax_referer` or `wp_verify_nonce`) and **Capability Checks** (using `current_user_can`) to verify the identity and permissions of the requester.\n2.  **Authorization and Access Control:** Study the [OWASP Guide on Broken Access Control](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F2017\u002FA5_2017-Broken_Access_Control) to understand common patterns where authorization checks are missing or improperly implemented.\n3.  **Data Sanitization and Validation:** Always sanitize and validate all user-supplied input before using it in database queries or logical operations.\n4.  **Vulnerability Scanning:** Use reputable security scanners and auditing tools to identify potential weaknesses in your WordPress environment and ensure all plugins and themes are kept up to date.","The Ditty plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization and post status checks in its AJAX handlers. Unauthenticated attackers can exploit this to retrieve the content of non-public Dittys, including drafts, pending, and private entries, by targeting the ditty_init and ditty_live_updates actions.","\u002F\u002F includes\u002Fclass-ditty-singles.php line 218\npublic function init_ajax() {\n\tcheck_ajax_referer( 'ditty', 'security' );\n\t$id_ajax \t\t\t\t\t\t\t\t\t\t\t\t= isset( $_POST['id'] ) \t\t\t\t\t\t\t? intval( $_POST['id'] ) \t\t\t\t\t\t\t\t\t: false;\n\t$uniqid_ajax \t\t\t\t\t\t\t\t\t\t= isset( $_POST['uniqid'] ) \t\t\t\t\t? esc_attr( $_POST['uniqid'] ) \t\t\t\t\t\t: false;\n\t$display_ajax \t\t\t\t\t\t\t\t\t= isset( $_POST['display'] ) \t\t\t\t\t? esc_attr( $_POST['display'] ) \t\t\t\t\t: false;\n\t$custom_display_settings_ajax \t= isset( $_POST['display_settings'] ) ? esc_attr( $_POST['display_settings'] ) \t: false;\n\t$custom_layout_settings_ajax \t\t= isset( $_POST['layout_settings'] ) \t? esc_attr( $_POST['layout_settings'] ) \t: false;\n\t$editor_ajax \t\t\t\t\t\t\t\t\t\t= isset( $_POST['editor'] )\t\t\t\t\t\t? intval( $_POST['editor'] ) \t\t\t\t\t\t\t: false;\n\n\t\u002F\u002F Get the display attributes\n\tif ( ! $display_ajax ) {\n\t\t$display_ajax = get_post_meta( $id_ajax, '_ditty_display', true );\n\t}\n\n---\n\n\u002F\u002F includes\u002Fclass-ditty-singles.php line 377\npublic function live_updates_ajax() {\n\tcheck_ajax_referer( 'ditty', 'security' );\n\t$live_ids = isset( $_POST['live_ids'] ) ? $_POST['live_ids'] : false;\n\n\t$updated_items = array();\n\tif ( is_array( $live_ids ) && count( $live_ids ) > 0 ) {\n\t\tforeach ( $live_ids as $ditty_id => $data ) {\n\t\t\t$layout_settings = isset( $data['layout_settings'] ) ? $data['layout_settings'] : false;\n\t\t\t$updated_items[$ditty_id] = $this->get_display_items( $ditty_id, 'cache', $layout_settings );\n\t\t}\n\t}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fditty-news-ticker\u002F3.1.65\u002Fincludes\u002Fclass-ditty-singles.php\t2026-03-12 11:02:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fditty-news-ticker\u002F3.1.66\u002Fincludes\u002Fclass-ditty-singles.php\t2026-05-20 00:17:04.000000000 +0000\n@@ -226,6 +226,24 @@\n \t\t$custom_layout_settings_ajax \t\t= isset( $_POST['layout_settings'] ) \t? esc_attr( $_POST['layout_settings'] ) \t: false;\n \t\t$editor_ajax \t\t\t\t\t\t\t\t\t\t= isset( $_POST['editor'] )\t\t\t\t\t\t? intval( $_POST['editor'] ) \t\t\t\t\t\t\t: false;\n \n+\t\t\u002F\u002F Validate the requested Ditty exists and is the correct post type\n+\t\tif ( ! $id_ajax || 'ditty' !== get_post_type( $id_ajax ) ) {\n+\t\t\twp_send_json_error();\n+\t\t}\n+\n+\t\t\u002F\u002F Only published Dittys are publicly accessible. Non-published Dittys\n+\t\t\u002F\u002F (draft, pending, scheduled, private, trash, etc.) may only be loaded\n+\t\t\u002F\u002F by users with the capability to edit that specific Ditty.\n+\t\tif ( 'publish' !== get_post_status( $id_ajax ) && ! current_user_can( 'edit_post', $id_ajax ) ) {\n+\t\t\twp_send_json_error();\n+\t\t}\n+\n+\t\t\u002F\u002F The editor flag should only be honored for users with the capability\n+\t\t\u002F\u002F to edit Dittys to avoid exposing editor-only data publicly.\n+\t\tif ( $editor_ajax && ! current_user_can( 'edit_dittys' ) ) {\n+\t\t\t$editor_ajax = false;\n+\t\t}\n+\n \t\t\u002F\u002F Get the display attributes\n \t\tif ( ! $display_ajax ) {\n \t\t\t$display_ajax = get_post_meta( $id_ajax, '_ditty_display', true );\n@@ -379,6 +397,16 @@\n \t\t$updated_items = array();\n \t\tif ( is_array( $live_ids ) && count( $live_ids ) > 0 ) {\n \t\t\tforeach ( $live_ids as $ditty_id => $data ) {\n+\t\t\t\t$ditty_id = intval( $ditty_id );\n+\n+\t\t\t\t\u002F\u002F Only return items for valid Ditty posts the requester may access.\n+\t\t\t\tif ( ! $ditty_id || 'ditty' !== get_post_type( $ditty_id ) ) {\n+\t\t\t\t\tcontinue;\n+\t\t\t\t}\n+\t\t\t\tif ( 'publish' !== get_post_status( $ditty_id ) && ! current_user_can( 'edit_post', $ditty_id ) ) {\n+\t\t\t\t\tcontinue;\n+\t\t\t\t}\n+\n \t\t\t\t$layout_settings = isset( $data['layout_settings'] ) ? $data['layout_settings'] : false;\n \t\t\t\t$updated_items[$ditty_id] = $this->get_display_items( $ditty_id, 'cache', $layout_settings );\n \t\t\t}","The exploit targets the AJAX handlers `ditty_init` or `ditty_live_updates`, which are available to unauthenticated users via the `wp_ajax_nopriv_` hook. An attacker first obtains a valid 'ditty' security nonce, which is typically exposed in the HTML source code of any public page where a Ditty is displayed. Using this nonce, the attacker sends a POST request to `wp-admin\u002Fadmin-ajax.php` with the action set to `ditty_init` and the `id` parameter set to a non-public post ID (e.g., discovered via integer enumeration). Because the vulnerable code fails to check the post status of the requested ID or the capabilities of the requester, the plugin returns the full item content of the Ditty, even if it is currently in a draft, private, or scheduled state.","gemini-3-flash-preview","2026-06-04 22:04:46","2026-06-04 22:05:54",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","3.1.65","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fditty-news-ticker\u002Ftags\u002F3.1.65","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fditty-news-ticker.3.1.65.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fditty-news-ticker\u002Ftags\u002F3.1.66","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fditty-news-ticker.3.1.66.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fditty-news-ticker\u002Ftags"]