Missing Authentication Vulnerability in Chartify Plugin for WordPress
CVE-2025-11171

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Chartify – WordPress Chart Plugin
Vendor: CVE Published:; 8 October 2025

What is CVE-2025-11171?

The Chartify plugin for WordPress has a security flaw whereby unauthenticated attackers can exploit an AJAX action without proper authentication or capability checks. This oversight allows malicious users to invoke administrative functions through the wp-admin/admin-ajax.php endpoint simply by knowing the callable method names. All versions up to and including 3.5.9 of the plugin are impacted, making it imperative for users to patch their installations to prevent unauthorized access.

Affected Version(s)

Chartify – WordPress Chart Plugin * <= 3.5.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/chart-builder/...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 8, 2025
Vulnerability Reserved
Sep 29, 2025

Credit

Avraham Shemesh

Kai Aizen

JSON