CVE-2025-8085

Name of the Vulnerable Software and Affected Versions Ditty WordPress plugin versions prior to 3.1.58

Description The Ditty WordPress plugin before version 3.1.58 has a flaw where the displayItems endpoint does not require authorization or authentication. This allows unauthenticated visitors to send requests to arbitrary URLs. This is a Server-Side Request Forgery (SSRF) issue, meaning an attacker can make the server fetch internal URLs. The vulnerable API endpoint is /wp-json/dittyeditor/v1/displayItems. The lack of proper authorization and filtering of the source url allows attackers to exploit this vulnerability. This could potentially allow attackers to perform internal network reconnaissance or access resources behind firewalls.

Recommendations Update the Ditty WordPress plugin to version 3.1.58 or later.