CVE-2025-11171

EPSS 0.33%
Veröffentlicht 08.10.2025 05:24:49
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Chartify – WordPress Chart Plugin <= 3.5.9 - Missing Authentication for Administrative Function

The Chartify – WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an unauthenticated AJAX action that dispatches to admin-class methods based on a request parameter, without any nonce or capability checks. This makes it possible for unauthenticated attackers to execute administrative functions via the wp-admin/admin-ajax.php endpoint granted they can identify callable method names.

Mögliche Gegenmaßnahme

Chartify – WordPress Chart Plugin: Update to version 3.6.0, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerays-pro

≫

Produkt Chartify – WordPress Chart Plugin

Default Statusunaffected

Version <= 3.5.9

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Chartify – WordPress Chart Plugin

Version *-3.5.9

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.247

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://www.wordfence.com/threat-intel/vulnerabilities/id/aa3e030b-8ef1-4dbc-940d-6c2ab2683620?source=cve

https://plugins.trac.wordpress.org/browser/chart-builder/tags/3.5.8/includes/class-chart-builder.php#L247

https://plugins.trac.wordpress.org/browser/chart-builder/tags/3.5.8/admin/class-chart-builder-admin.php#L675

https://plugins.trac.wordpress.org/browser/chart-builder/tags/3.5.8/admin/class-chart-builder-admin.php#L1625

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3372188%40chart-builder%2Ftags%2F3.6.0&new=3372188%40chart-builder%2Ftags%2F3.6.0

https://www.wordfence.com/threat-intel/vulnerabilities/id/aa3e030b-8ef1-4dbc-940d-6c2ab2683620

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-11171

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-11171

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-11171

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-11171