What vulnerability was discovered in the Chartify WordPress Plugin?

A critical vulnerability (CVE-2024-10571) with a CVSS score of 9.8 was discovered in the Chartify WordPress Chart Plugin. It's an Unauthenticated Local File Inclusion vulnerability that allows attackers to execute malicious code through improper handling of the 'source' parameter.

Which versions are affected and what is the fix?

All versions up to and including 2.9.5 are affected. The vulnerability has been patched in version 2.9.6.

What is the recommended action for website administrators?

Website administrators are urged to update immediately to version 2.9.6 or newer versions of the Chartify WordPress Plugin.

How widespread are the exploitation attempts?

The vulnerability is under active exploitation, with Wordfence reporting that they blocked over 2.2 million attacks targeting this vulnerability within just 24 hours.

Advisory

Critical flaw reported in Chartify WordPress Chart Plugin

Q: What are the potential impacts of this vulnerability?

The vulnerability enables access control bypass, sensitive data extraction, and permits code execution when 'safe' file types can be uploaded and included. It's actively being exploited in the wild, with Wordfence reporting 2,207,540 blocked attacks within 24 hours.

published: Nov. 14, 2024

Take action: If you are using the Chartify WordPress Chart Plugin, update the plugin IMMEDIATELY. It's not a widely used plugin, but is still high risk.

Learn More

A critical vulnerability has been discovered in the Chartify WordPress Chart Plugin, actively being exploited in the wild.

The vulnerability is tracked as CVE-2024-10571 (CVSS score 9.8): Unauthenticated Local File Inclusion vulnerability and allows attackers to execute malicious code through improper handling of 'source' parameter, enabling access control bypass and sensitive data extraction. It permits code execution when "safe" file types can be uploaded and included. Affected versions are all up to and including 2.9.5

Wordfence reported blocking 2,207,540 attacks within 24 hours.

The vulnerability has been patched in version 2.9.6. Website administrators are urged to update immediately to this or newer versions.

Critical flaw reported in Chartify WordPress Chart Plugin

Read More
Over 300,000 WordPress sites vulnerable due to POST …
Critical File Upload Flaw reported RealHomes CRM Plugin
Kadence Blocks plugin for WordPress patches critical Vulnerability
Fancy Product Designer WordPress plugin has critical flaws, …
Multiple critical authentication bypass vulnerabilities in Kentico Xperience …