Authorization Bypass in Ditty Plugin for WordPress
CVE-2026-9011

7.5HIGH

Key Information:

Vendor: WordPress
Status: Ditty – Responsive News Tickers, Sliders, And Lists
Vendor: CVE Published:; 22 May 2026

What is CVE-2026-9011?

The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress contains a vulnerability that allows unauthorized access to non-public content. Attackers can exploit this flaw by sending requests to the ditty_init AJAX endpoint without authentication, potentially exposing sensitive data such as drafts and disabled entries. The plugin fails to validate user authorization, thus permitting the retrieval of items marked as not publicly accessible, posing a risk to content security.

Affected Version(s)

Ditty – Responsive News Tickers, Sliders, and Lists 0 <= 3.1.65

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ditty-news-tic...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
May 19, 2026

Credit

Md. Moniruzzaman Prodhan

CVE-2026-9011 Data

JSON