CVE-2024-10571
published 2024-11-14CVE-2024-10571: The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source'…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.84%
90.9th percentile
The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ays-pro | chartify | < 2.9.6 | 2.9.6 |
| ays-pro | chartify_wordpress_chart_plugin | <= 2.9.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php?action=add&source=../../../../../../../../../../wp-content/plugins/chart-builder/admin/partials/features/chart-builder-plugin-featured-display&type=chart-js↗
url/wp-admin/admin-ajax.php?action=add&source=../../../../../../../../../../wp-content/plugins/chart-builder/uninstall&type=chart-js↗
- →Exploit requests are unauthenticated POST requests to /wp-admin/admin-ajax.php with the 'source' parameter containing directory traversal sequences (../../) and the POST body containing action=ays_chart_admin_ajax&function=display_plugin_charts_page ↗
- →Successful exploitation of the first stage sets a PHPSESSID cookie in the response header, which can be used as an indicator of a successful LFI probe ↗
- →Successful exploitation of the second stage returns HTTP 200 with body containing both 'ays-chart-heading-box' and 'View Documentation', indicating arbitrary file inclusion was achieved ↗
- →The vulnerable parameter is 'source' passed via GET query string to admin-ajax.php; monitor for traversal patterns (e.g., '../') in the source parameter of requests to admin-ajax.php ↗
- ·The exploit is a two-step flow: the first HTTP request must succeed (PHPSESSID cookie present in response) before the second LFI request is sent. Detection logic should account for this chained request pattern. ↗
- ·The vulnerability affects all plugin versions up to and including 2.9.5; version 2.9.6 is the patched release. Scope detection rules to installations running versions <= 2.9.5. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c7vx-2f2q-xpfw: The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2
ghsa_unreviewed·2024-11-14
CVE-2024-10571 [CRITICAL] CWE-98 GHSA-c7vx-2f2q-xpfw: The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2
The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
VulnCheck
Chartify WordPress Chart Plugin For WordPress Local File Inclusion Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-10571 [CRITICAL] Chartify WordPress Chart Plugin For WordPress Local File Inclusion Vulnerability
Chartify WordPress Chart Plugin For WordPress Local File Inclusion Vulnerability
The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected: ays-pro chartify
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: htt
No detection rules found.
Nuclei
Chartify – WordPress Chart Plugin < 2.9.6 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2024-10571 [CRITICAL] Chartify – WordPress Chart Plugin < 2.9.6 - Local File Inclusion
Chartify – WordPress Chart Plugin < 2.9.6 - Local File Inclusion
The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Template:
id: CVE-2024-10571
info:
name: Chartify – WordPress Chart Plugin < 2.9.6 - Local File Inclusion
author: iamnoooob,pdresearch
severity: critical
description: |
The Chartify – WordPress Chart Plugin plugin for WordPress
No writeups or analysis indexed.
https://abrahack.com/posts/chart-builder-lfi/https://plugins.trac.wordpress.org/browser/chart-builder/tags/2.9.6/admin/partials/charts/actions/chart-builder-charts-actions-options.php?rev=3184238https://www.wordfence.com/threat-intel/vulnerabilities/id/d4837258-c749-4194-926c-22b67e20c1fc?source=cve
2024-11-14
Published
Exploited in the wild