Ditty < 3.1.47 – Author+ Stored XSS | CVE 2024-9600 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. Create a new post with the following title and publish it: 123" autofocus onfocus=alert(`XSS`)// 
2. Create/edit a Ditty, add "WP Posts Feed (Lite)" block and save
3. The XSS will be triggered upon adding the Block, as well as any time a user will edit/access the Ditty (like in page where it's embed)

Affects Plugins

ditty-news-ticker

Fixed in 3.1.47

References

CVE

URL

https://research.cleantalk.org/cve-2024-9600/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

d1c78389-29eb-4dce-848c-e0eab85ff5cd

Timeline

Publicly Published

2024-10-31 (about 1 year ago)

Added

2024-10-31 (about 1 year ago)

Last Updated

2024-10-31 (about 1 year ago)

Other

Published

Title

Published

2023-11-07

Title

Edit WooCommerce Templates < 1.1.2 - Reflected XSS

Published

2024-05-29

Title

Testimonial Carousel For Elementor < 10.2.3 - Contributor+ Stored XSS

Published

2023-08-14

Title

Article Directory Redux <= 1.0.2 - Admin+ Stored XSS

Published

2025-09-09

Title

PowerPack Lite for Elementor < 2.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting Via 'cursor_url'

Published

2018-04-23

Title

WD Instagram Feed <= 1.3.0 - XSS