Ditty News Tickers Plugin for WordPress Authorization Bypass Vulnerability

A vulnerability allowing authorization bypass has been identified in the Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress, affecting all versions up to and including 3.1.65. The issue arises because the plugin fails to properly verify user authorization for certain actions. This flaw enables unauthenticated attackers to access the full content of non-public Ditty items, such as drafts and scheduled entries, by manipulating post IDs through the ditty_init AJAX endpoint. Unlike its non-AJAX counterpart, the init_ajax() function lacks a check for the 'publish' status before returning item data, thereby exposing content that should remain private.

Impact

Exploitation of this vulnerability allows unauthorized users to access and retrieve non-public content from the WordPress site, including drafts and scheduled items, potentially leading to unauthorized disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, send a POST request to the 'ditty_init' AJAX endpoint without authentication. Include an 'id' parameter with the integer value corresponding to the post ID of the non-public Ditty item. The response will contain the full content of the item, bypassing authorization checks.

Remediation

Users can update the Ditty News Tickers, Sliders, and Lists plugin to version 3.1.66 or later, where this vulnerability has been addressed.