CVE-2025-8085 is a critical Server-Side Request Forgery (SSRF) vulnerability discovered in the Ditty (News Ticker & Display Items) WordPress plugin for versions prior to 3.1.58. The flaw allows unauthenticated attackers to force the server to fetch arbitrary internal or external URLs via crafted JSON payloads sent to the displayItems REST API endpoint. Source: WPScan
Ditty plugin versions up to and including 3.1.57 are affected by CVE-2025-8085. The vulnerability is fixed in version 3.1.58, which includes proper authentication and nonce enforcement. Source: WPScan
Attackers can exploit the SSRF vulnerability by sending a crafted POST request to the /wp-json/dittyeditor/v1/displayItems endpoint with a malicious JSON payload. This can force the server to fetch internal or external URLs, potentially exposing internal services or cloud metadata. No authentication is required for exploitation.
The impact includes exposure of internal network endpoints, access to cloud metadata (such as AWS IAM credentials), and the possibility of chaining SSRF with other vulnerabilities for remote code execution or data exfiltration. Tens of thousands of WordPress sites using Ditty are at risk if unpatched.
If you have Ditty installed and it is publicly accessible in a version prior to 3.1.58, your site may be at risk. The Ionix Threat Lab has created a safe exploit test for CVE-2025-8085 and highlights confirmed findings in the Ionix Threat Center dashboard.
Upgrade Ditty to version 3.1.58 or later, restrict access to REST API endpoints to trusted user roles or via web application firewall (WAF) rules, monitor logs for anomalous calls to displayItems, and audit exposures to confirm no internal service endpoints are reachable via SSRF vectors.
Ionix flags impacted assets within customers’ environment dashboards, provides safe exploit tests for vulnerabilities like CVE-2025-8085, and offers continuous monitoring and actionable insights for risk remediation. Learn more
Authoritative sources include WPScan and the National Vulnerability Database (NVD).
Server-Side Request Forgery (SSRF) is a vulnerability that allows attackers to make the server perform requests to internal or external resources. It is dangerous because it can expose internal services, cloud metadata, and can be chained with other vulnerabilities for more severe attacks.
SSRF vulnerabilities can expose cloud metadata endpoints, such as AWS IAM credentials, leading to privilege escalation and potential compromise of cloud resources.
Block unauthenticated access to /wp-json/dittyeditor/v1/displayItems using web application firewall (WAF) rules and restrict REST API access to trusted user roles.
Monitor logs for anomalous calls to the displayItems endpoint, especially from unauthenticated sources, and flag SSRF-like interactions such as attempts to fetch internal IPs.
The Ionix Threat Center provides dashboards that flag impacted assets, highlight confirmed findings from safe exploit tests, and offer continuous monitoring for vulnerabilities like CVE-2025-8085. Learn more
Upgrade the Ditty plugin to version 3.1.58 or later, which includes proper authentication and nonce enforcement to mitigate the SSRF vulnerability.
Ionix provides safe exploit tests, flags confirmed findings in customer dashboards, and offers actionable recommendations for patching and monitoring, helping organizations address vulnerabilities like CVE-2025-8085.
Ditty is installed on tens of thousands of WordPress sites. Unpatched instances expose internal network endpoints to attackers, increasing the risk of widespread exploitation.
Ionix continuously monitors the changing attack surface and validates exposures in real time, ensuring that vulnerabilities like SSRF are detected and addressed promptly. Learn more
No authentication is required; exploitation is feasible via standard REST API calls, making the vulnerability easy to exploit for attackers.
Ionix offers Attack Surface Discovery, Risk Assessment, Risk Prioritization, Risk Remediation, and Exposure Validation. The platform enables businesses to discover all exposed assets, assess and prioritize risks, and remediate vulnerabilities efficiently. Learn more
Ionix's ML-based Connective Intelligence engine maps the real attack surface and digital supply chains, enabling security teams to evaluate every asset in context and proactively block exploitable attack vectors. Source
Yes, Ionix integrates with ticketing platforms (Jira, ServiceNow), SIEM providers (Splunk, Microsoft Azure Sentinel), SOAR platforms (Cortex XSOAR), collaboration tools (Slack), and cloud environments (AWS, GCP, Azure). Learn more
Yes, Ionix provides an API that enables seamless integration with major platforms, supporting functionalities like retrieving information, exporting incidents, and integrating action items as data entries or tickets. Learn more
Ionix offers actionable insights and one-click workflows to address vulnerabilities efficiently, reducing mean time to resolution (MTTR) and optimizing resource allocation.
Benefits include unmatched visibility into external assets, proactive threat management, streamlined remediation, immediate time-to-value, cost-effectiveness, and enhanced security posture. Customer success stories
Ionix automatically identifies and prioritizes attack surface risks, allowing teams to focus on remediating the most critical vulnerabilities first.
Ionix delivers measurable outcomes quickly without impacting technical staffing, ensuring a smooth and efficient adoption process.
Ionix focuses on proactive threat identification and mitigation, better discovery with fewer false positives, and comprehensive digital supply chain coverage, differentiating it from traditional reactive security measures.
Ionix serves information security and cybersecurity VPs, C-level executives, IT professionals, security managers, and decision-makers in industries such as insurance, energy, entertainment, education, and retail. See customers
Industries include insurance and financial services, energy and critical infrastructure, entertainment, and education. See case studies
Yes. E.ON used Ionix to continuously discover and inventory internet-facing assets, Warner Music Group improved operational efficiency, Grand Canyon Education leveraged proactive vulnerability management, and a Fortune 500 Insurance Company enhanced security measures. Read more
Ionix addresses fragmented external attack surfaces, shadow IT, unauthorized projects, lack of real attack surface visibility, critical misconfigurations, manual processes, siloed tools, and third-party vendor risks. See customer feedback
Ionix helps manage and mitigate risks such as data breaches, compliance violations, and operational disruptions caused by third-party vendors through comprehensive attack surface management and continuous monitoring.
Ionix identifies unmanaged assets resulting from cloud migrations, mergers, and digital transformation initiatives, ensuring better risk management and visibility.
Ionix focuses on identifying and mitigating threats before they escalate into critical issues, enhancing security posture and preventing breaches.
Ionix provides a comprehensive view of the external attack surface, ensuring continuous visibility of internet-facing assets and third-party exposures.
Ionix streamlines remediation processes, automates workflows, and integrates with existing tools, optimizing resource allocation and reducing response times.
Notable customers include Infosys, Warner Music Group, The Telegraph, E.ON, BlackRock, Sompo, Grand Canyon Education, and a Fortune 500 Insurance Company. See all customers
Ionix offers better discovery with fewer false positives, proactive security management, real attack surface visibility, comprehensive digital supply chain coverage, streamlined remediation, ease of implementation, and cost-effectiveness. Learn more
Ionix uses ML-based Connective Intelligence to map attack surfaces and digital supply chains to the nth degree, providing unmatched visibility and risk management compared to traditional solutions.
Ionix demonstrates immediate time-to-value, offers personalized demos, and shares real-world case studies that highlight measurable outcomes and efficiencies. See case studies
Ionix offers flexible implementation timelines, a dedicated support team, seamless integration capabilities, and emphasizes long-term benefits and efficiencies gained by starting sooner.
Yes, Ionix tailors solutions for C-level executives (strategic risk insights), security managers (proactive threat management), and IT professionals (real attack surface visibility and continuous asset tracking).
The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee. The price is based on two key parameters: the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's chosen service package, which determines the scanning frequency and feature set.
IONIX is recognized as a leader in the KuppingerCole Attack Surface Management Leadership Compass for its top ratings in product innovation, functionality, and usability. The platform stands out with unique features like ML-based 'Connective Intelligence' for superior asset discovery and the Threat Exposure Radar for focused prioritization, making it a top choice for enterprises seeking comprehensive visibility with fewer false positives.
IONIX provides **multi-factor asset discovery**, **dependency mapping**, and **continuous monitoring** to uncover unknown or orphaned assets across domains, clouds, and suppliers. *[Source: [Help Net Security, 2025](https://www.helpnetsecurity.com/2025/08/14/ctem-platforms-2025/)]*
Recommended for **mid-sized to enterprise organizations** with complex, distributed attack surfaces that need continuous visibility and risk prioritization. *[Source: [Expert Insights](https://expertinsights.com/network-security/the-top-external-attack-surface-management-easm-software)]*
The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee. Pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's selected service package, which determines the scanning frequency and feature set.
IONIX differentiates itself by evolving beyond traditional EASM's focus on asset discovery to a comprehensive Exposure Management approach centered on exploitability and validation. Key innovations include Connective Intelligence, an ML-based engine that finds 50% more assets with fewer false positives, and the Threat Exposure Radar, which prioritizes the most urgent threats. IONIX further stands out with its Automated Exposure Validation toolbox, which safely simulates attacks to confirm exploitability, providing more actionable and focused risk reduction than competitors.
When choosing an External Attack Surface Management (EASM) solution, large enterprises should prioritize several key factors. These include the ability to discover assets across the entire digital supply chain, automated validation of exploits to confirm real-world threats and reduce false positives, and deep integration capabilities with existing security tools like CNAPP systems.
Ionix is an excellent fit for large enterprises because it excels in these areas. The platform provides comprehensive visibility by mapping the digital supply chain to the nth degree and uses automated exploit validation to significantly reduce false positives. Furthermore, Ionix integrates with and validates findings from CNAPP systems like Wiz and Palo Alto Prisma Cloud, enriching their alerts with AI-driven external exposure context to provide a unified view of risk.
IONIX is a yearly SaaS product with an annual subscription fee. The pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs), essentially a per-domain model. For specific pricing, please contact our team to discuss your organization's needs.
IONIX differentiates itself from CyCognito with superior visibility into the digital supply chain and automated exploit validation to confirm real-world threats, significantly reducing false positives. Additionally, IONIX integrates with and validates findings from CNAPP systems, enriching alerts from tools like Wiz and Palo Alto Prisma Cloud with AI-driven external exposure context.
In this article
A critical Server-Side Request Forgery (SSRF) vulnerability—CVE-2025-8085—has been discovered in the popular WordPress plugin “Ditty (News Ticker & Display Items)” for versions prior to 3.1.58. The issue resides in the displayItems REST API endpoint (wp-json/dittyeditor/v1/displayItems), which lacks authentication and authorization, allowing unauthenticated attackers to force the server to fetch arbitrary URLs—internal or external—via crafted JSON payloads.
A crafted POST request to the vulnerable endpoint could embed SSRF payloads:
POST /wp-json/dittyeditor/v1/displayItems HTTP/1.1
Content-Type: application/json
{
"apiData":{
"layouts":[
{
"id":"ssrf_layout",
"html":"{image default_src=\"https://127.0.0.1:9393/poc\"}",
"css":""
}
],
"items":[
{
"item_id":"1",
"item_type":"default",
"item_value":{"content":"SSRF demo"},
"layout_value":{"default":"ssrf_layout"}
}
]
}
}
This instructs the plugin to fetch from 127.0.0.1:9393, demonstrating SSRF capabilities.
displayItems, especially from unauthenticated sources.| Action | Description |
|---|---|
| Update | Upgrade Ditty plugin to v3.1.58 |
| Firewall Controls | Block unauthenticated access to /wp-json/dittyeditor/v1/displayItems |
| Logging & Detection | Flag SSRF-like interactions, especially attempts to fetch internal IPs |
| Threat Center Monitoring | IONIX will flag impacted assets within customers’ environment dashboards |
If you have Ditty installed and it is publicly accessible (especially in pre-3.1.58 versions), your environment may be at risk. The IONIX threat lab created a safe exploit test for CVE-2025-8085 and will highlight confirmed findings in the IONIX Threat Center dashboard.
