CVE-2024-10571
📋 TL;DR
The Chartify WordPress plugin is vulnerable to Local File Inclusion (LFI) via the 'source' parameter, allowing unauthenticated attackers to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and access control bypass. All WordPress sites using Chartify plugin versions up to 2.9.5 are affected.
💻 Affected Systems
- Chartify – WordPress Chart Plugin
📦 What is this software?
Chartify by Ays Pro
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, leading to data exfiltration, ransomware deployment, or complete site takeover.
Likely Case
Unauthenticated attackers execute arbitrary PHP code to create backdoors, steal sensitive data, or deface websites.
If Mitigated
Attackers can still probe for file inclusion but cannot execute code due to proper file upload restrictions and server hardening.
🎯 Exploit Status
Simple HTTP requests with crafted parameters can trigger the vulnerability; exploit code is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.6
Vendor Advisory: https://plugins.trac.wordpress.org/browser/chart-builder/tags/2.9.6/admin/partials/charts/actions/chart-builder-charts-actions-options.php?rev=3184238
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Chartify – WordPress Chart Plugin'. 4. Click 'Update Now' if available, or manually update to version 2.9.6. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the Chartify plugin until patching is possible.
wp plugin deactivate chart-builder
Web Application Firewall Rule
linuxBlock requests containing malicious 'source' parameter patterns.
ModSecurity rule: SecRule ARGS:source "@rx \.\.|\/|php:\/\/" "id:1001,phase:2,deny,status:403,msg:'Chartify LFI attempt'"
🧯 If You Can't Patch
- Immediately disable the Chartify plugin via WordPress admin or command line.
- Implement strict file upload controls and disable PHP execution in upload directories.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Chartify version. If version is 2.9.5 or lower, system is vulnerable.Check Version:
wp plugin get chart-builder --field=versionVerify Fix Applied:
Confirm Chartify plugin version is 2.9.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with 'source' parameter containing path traversal sequences (../) or PHP wrappers (php://).
- Unusual file inclusion attempts in web server error logs.
Network Indicators:
- Incoming requests with 'action=chart_builder_charts_actions_options' and suspicious 'source' parameter values.
- Spike in requests to Chartify plugin endpoints from unknown IPs.
SIEM Query:
source="web_access_logs" AND uri_path="/wp-admin/admin-ajax.php" AND query_string="*source=*" AND (query_string="*../*" OR query_string="*php://*")