CVE-2026-9011

Name of the Vulnerable Software and Affected Versions Ditty – Responsive News Tickers, Sliders, and Lists versions prior to 3.1.66

Description An authorization bypass exists because the plugin fails to properly verify if a user is authorized to perform specific actions. Unauthenticated attackers can retrieve the full content of non-public items, such as drafts, pending, scheduled, and disabled entries, by enumerating integer post IDs. This occurs via the 'ditty init' AJAX endpoint, where the init ajax() function fails to verify that the requested item has a 'publish' post status before returning the data, unlike the init() function.

Recommendations Update to a version later than 3.1.65.