CVE-2026-9011
HighSummary
The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action, allowing unauthenticated attackers to access the full content of non-public Dittys.
Risk Assessment
Attackers can access content that administrators intended to keep hidden from public view, potentially leading to the exposure of sensitive information.
Recommendation
It is recommended to update the plugin to the latest version to mitigate this vulnerability and implement additional security measures to protect against unauthorized access.
Original NVD description (English source)
The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve the full item content of non-public Dittys — including drafts, pending, scheduled, and disabled entries — by enumerating integer post IDs against the ditty_init AJAX endpoint. Unlike the non-AJAX init() counterpart, init_ajax() does not verify that the requested Ditty has a 'publish' post status before loading and returning its items, allowing content that administrators explicitly withheld from public view to be extracted.

