WordPress Plugin Vulnerabilities

Ditty < 3.1.59 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
ditty-news-ticker
Fixed in 3.1.59

References

CVE
CVE-2025-60105
URL
https://patchstack.com/database/wordpress/plugin/ditty-news-ticker/vulnerability/wordpress-ditty-plugin-3-1-58-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
zaim
Verified
No
WPVDB ID
38102a22-cbf7-456c-90e1-daf93c4b53bd

Timeline

Publicly Published
2025-09-26 (about 7 months ago)
Added
2025-09-29 (about 7 months ago)
Last Updated
2025-10-07 (about 7 months ago)

Other

Published
Title
Published
2023-03-14
Title
Admin side data storage for Contact Form 7 <= 1.1.1 - Unauthenticated Reflected XSS
Published
2017-03-10
Title
Profile Builder < 2.5.8 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2023-01-17
Title
Responsive Gallery Grid < 2.3.9 - Contributor+ Stored XSS
Published
2025-04-10
Title
WP Maps < 4.7.2 - Admin+ Stored XSS
Published
2026-04-07
Title
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce < 6.4.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar