VulnerAlert



WORDPRESS
08-09-2025 03:25

CVE-2025-8085 Vulnerabilidad documentada

Sin puntuación
Tags
#wordpress
#plugin
#authenticated
#arbitrary
#allow
Descripción
The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors make arbitrary URLs.
https://wpscan.com/vulnerability/f42c37bb-1ae0-49ab-bd81-7864dff0fcff/

Affects Plugins

Plugin icon
ditty-news-ticker
Fixed in 3.1.58

References

CVE
CVE-2025-8085
URL
https://research.cleantalk.org/cve-2025-8085/

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/
Verified
Yes
WPVDB ID
f42c37bb-1ae0-49ab-bd81-7864dff0fcff

Timeline

Publicly Published
2025-08-18 (about 21 days ago)
Added
2025-08-18 (about 20 days ago)
Last Updated
2025-08-18 (about 20 days ago)

Other

Published
Title
Published
2025-01-03
Title
Photo Gallery Slideshow & Masonry Tiled Gallery < 1.0.16 - Authenticated (Subscriber+) Limited Server-Side Request Forgery
Published
2021-04-13
Title
WP-DownloadManager < 1.68.5 - Server-Side Request Forgery (SSRF)
Published
2024-03-13
Title
Automatic < 3.92.1 - Unauthenticated Arbitrary File Download and Server-Side Request Forgery
Published
2025-04-24
Title
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) < 3.1.3 - Unauthenticated Server-Side Request Forgery via URL Parameter
Published
2025-03-24
Title
WP Compress < 6.30.16 - Unauthenticated Server-Side Request Forgery via init Function
Link externo

Fuente
https://nvd.nist.gov/vuln/detail/CVE-2025-8085
Icons made by Freepik from www.flaticon.com
Este Proyecto fue cofinanciado por el Consejo Nacional de Ciencia y Tecnología (CONACYT) a través del PROINNOVA 2021/2023
Proyecto realizado por