The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress versions up to 3.1.65 is vulnerable to an authorization bypass (CVE-2026-9011) that allows unauthenticated attackers to retrieve the full content of non-public Dittys by exploiting the ditty_init AJAX endpoint.
Ditty – Responsive News Tickers, Sliders, and Lists plugin <= 3.1.65
cve
cve-2026-9011
wordpress
authorization bypass
plugin vulnerability
cloud
2r
1t
1c