Ditty < 3.1.36 – Author+ Stored XSS | CVE 2024-3939 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Go to https://example.com/wp-admin/admin.php?page=ditty-new
2. In the menu on the right, click "Add Default"
3. Put the following payload in the Content Title field: "><script></script><img src=x onerror=alert(document.domain)>
4. Click save and then reload to see the XSS

Affects Plugins

ditty-news-ticker

Fixed in 3.1.36

References

CVE

URL

https://research.cleantalk.org/cve-2024-3939/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Krugov Aryom

Submitter

Krugov Aryom

Verified

Yes

WPVDB ID

80a9eb3a-2cb1-4844-9004-ba2554b2d46c

Timeline

Publicly Published

2024-05-06 (about 1 months ago)

Added

2024-05-06 (about 1 months ago)

Last Updated

2024-05-13 (about 1 months ago)

Other

Published

Title

Published

2022-12-23

Title

ProfilePress < 4.5.1 - Admin+ Stored Cross-Site Scripting

Published

2024-04-26

Title

Fan Page Widget by ThemeNcode < 2.1 - Admin+ Stored XSS

Published

2022-06-13

Title

Elementor < 3.5.6 - DOM Reflected Cross-Site Scripting

Published

2021-12-14

Title

duoFAQ <= 1.4.8 - Reflected Cross-Site Scripting

Published

2019-01-09

Title

User Registration <= 1.5.5 - Authenticated Cross-Site Scripting (XSS)