CVE-2024-3954

Name of the Vulnerable Software and Affected Versions Ditty plugin for WordPress versions prior to 3.1.38

Description The issue allows authenticated attackers with contributor-level access and above to inject a PHP Object via deserialization of untrusted input when adding a new ditty. This could potentially lead to the deletion of arbitrary files, retrieval of sensitive data, or execution of code if a POP chain is present via an additional plugin or theme installed on the target system.

Recommendations For Ditty plugin for WordPress versions prior to 3.1.38, update to version 3.1.38 or later to resolve the issue.