Unauthenticated Local File Inclusion Vulnerability in Chartify for WordPress
CVE-2024-10571

9.8CRITICAL

Key Information:

Vendor
Chartify
Status
Chartify
Vendor
CVE Published:
14 November 2024

Summary

The Chartify – WordPress Chart Plugin, utilized for creating charts within WordPress sites, is susceptible to a Local File Inclusion (LFI) vulnerability in all versions up to and including 2.9.5. The flaw is triggered through the 'source' parameter, allowing unauthenticated attackers to include and execute arbitrary files on the server. This vulnerability poses significant risks, as it enables the potential execution of PHP code contained in these files, leading to a range of malicious outcomes such as bypassing access controls, accessing sensitive information, and executing unauthorized code. Properly securing and updating the plugin is critical to safeguarding WordPress installations.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/chart-builder/...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Collectors

NVD Database
.