The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
History

Tue, 19 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:ays-pro:chartify:*:*:*:*:free:wordpress:*:*

Thu, 14 Nov 2024 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro chartify
CPEs cpe:2.3:a:ays-pro:chartify:*:*:*:*:*:*:*:*
Vendors & Products Ays-pro
Ays-pro chartify
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 14 Nov 2024 11:15:00 +0000

Type Values Removed Values Added
Description The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Title Chartify – WordPress Chart Plugin <= 2.9.5 - Unauthenticated Local File Inclusion via source
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-11-14T11:00:12.910Z

Updated: 2024-11-14T19:33:58.060Z

Reserved: 2024-10-30T22:27:57.315Z

Link: CVE-2024-10571

cve-icon Vulnrichment

Updated: 2024-11-14T19:07:40.574Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-14T11:15:04.630

Modified: 2024-11-19T15:46:52.187

Link: CVE-2024-10571

cve-icon Redhat

No data.