CVE-2025-11171
BaseFortify
Publication date: 2025-10-08
Last updated on: 2025-10-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpres | chart_builder | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Chartify WordPress Chart Plugin allows unauthenticated attackers to execute administrative functions because the plugin registers an AJAX action without requiring authentication or capability checks. This means attackers can call admin-class methods via the wp-admin/admin-ajax.php endpoint if they know the method names, potentially performing actions that should be restricted to administrators.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to perform administrative actions on a WordPress site using the Chartify plugin, potentially leading to unauthorized changes or disruptions. Although it does not directly impact confidentiality or availability, it can affect the integrity of the site by allowing attackers to modify data or settings without permission.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Chartify β WordPress Chart Plugin to a version later than 3.5.9 where the issue is fixed. If an update is not available, restrict access to the wp-admin/admin-ajax.php endpoint to authenticated users only, and consider disabling or removing the plugin until a patch is applied.