WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content

The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress, in all versions up to and including 3.1.65, is vulnerable to an authorization bypass, as reported by the National Vulnerability Database (NVD). This flaw stems from the plugin’s failure to adequately verify user authorization for actions, allowing unauthenticated attackers to retrieve full item content from non-public Dittys.

Attackers can exploit this by enumerating integer post IDs against the ditty_init AJAX endpoint. Crucially, the init_ajax() function, unlike its non-AJAX counterpart, does not validate a ‘publish’ post status before loading and returning items. This oversight enables the extraction of content that administrators explicitly intended to keep private, including drafts, pending, scheduled, and disabled entries.

This is a high-severity vulnerability, rated 7.5 CVSS (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). It directly undermines content confidentiality for WordPress sites using the Ditty plugin. The attacker’s calculus here is straightforward: enumerate IDs, bypass status checks, and exfiltrate sensitive information without authentication. Defenders need to recognize that ‘non-public’ doesn’t mean ‘secure’ if authorization controls are weak.