WordPress Plugin Vulnerabilities

Ditty < 3.1.25 - Missing Authorization via save_ditty_permissions_check

Description

The Ditty plugin for WordPress is vulnerable to unauthorized editing of dittys due to a missing capability check on the save_ditty_permissions_check function in versions up to, and including, 3.1.24. This makes it possible for unauthenticated attackers to edit dittys.

Affects Plugins

Plugin icon
ditty-news-ticker
Fixed in 3.1.25

References

CVE
CVE-2023-47764
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/08630dfd-df43-4a5a-8fc7-ba8ff753db3d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
586524d3-f63f-4a4e-ba2c-9ca54379df9c

Timeline

Publicly Published
2023-11-13 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-01-31
Title
Load More Anything < 3.3.4 - Subscriber+ Settings Update
Published
2025-12-08
Title
Page View Count <= 2.8.7 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2023-09-04
Title
Woocommerce Support System < 1.2.3 - Unauthenticated Ticket Deletion/Update, Settings Update etc
Published
2025-03-12
Title
Page Builder: Pagelayer – Drag and Drop website builder < 2.0.0 - Missing Authorization to Authenticated (Contributor+) Post Publication
Published
2025-02-24
Title
Pie Register Premium < 3.8.3.3 - Missing Authorization