WordPress Plugin Vulnerabilities

Ditty 3.1.39-3.1.45 - Author+ Stored XSS

Description

The plugin re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39

Proof of Concept

Affects Plugins

Plugin icon
ditty-news-ticker
Fixed in 3.1.46

References

CVE
CVE-2024-6715

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
19406acc-3441-4d4a-9163-ace8f1dceb78

Timeline

Publicly Published
2024-08-02 (about 1 year ago)
Added
2024-08-02 (about 1 year ago)
Last Updated
2024-08-02 (about 1 year ago)

Other

Published
Title
Published
2023-07-26
Title
User Email Verification for WooCommerce <= 3.5.0 - Reflected XSS
Published
2015-08-13
Title
All In One WP Security & Firewall <= 3.9.7 - Unauthenticated Cross-Site Scripting (XSS)
Published
2017-07-26
Title
Ultimate Affiliate Pro WordPress Plugin < 4.0 - Authenticated Stored XSS
Published
2024-12-02
Title
Element Pack Elementor Addons < 5.10.6 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Lightbox Widget
Published
2024-04-25
Title
GS Pins for Pinterest < 1.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shorcode