WordPress Plugin Vulnerabilities

Ditty < 3.1.45 - Author+ Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

Proof of Concept

Affects Plugins

Plugin icon
ditty-news-ticker
Fixed in 3.1.45

References

CVE
CVE-2024-6710
URL
https://research.cleantalk.org/cve-2024-6710/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/
Verified
Yes
WPVDB ID
1afcf9d4-c2f9-4d47-8d9e-d7fa6ae2358d

Timeline

Publicly Published
2024-07-15 (about 1 year ago)
Added
2024-07-15 (about 1 year ago)
Last Updated
2024-07-15 (about 1 year ago)

Other

Published
Title
Published
2025-07-14
Title
WP-Click-Tracker <= 0.7.3 - Reflected Cross-Site Scripting
Published
2025-09-26
Title
Nota Fiscal Eletrônica WooCommerce <= 3.4.0.7 - Shop manager+ Stored XSS
Published
2025-05-09
Title
SMS Alert Order Notifications – WooCommerce < 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via sa_verify Shortcode
Published
2016-04-12
Title
MiniMax <= 2.0.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2024-10-21
Title
WP ERP < 1.13.3 - Reflected Cross-Site Scripting