CVE-2024-10571

CRITICAL EXPLOITED NUCLEI

Chartify - WordPress Chart Plugin <= 2.9.5 - Unauthenticated Local File Inclusion via Source Parameter

Title source: llm

Exploitation Summary

CVE-2024-10571 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including RandomRobbieBF. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional proof-of-concept for CVE-2024-10571, demonstrating an unauthenticated Local File Inclusion (LFI) vulnerability in the Chartify WordPress plugin. The exploit leverages the 'source' parameter to include arbitrary files, potentially leading to remote code execution (RCE) if PHP files are accessible.

Description

The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Exploits (1)

nomisec WORKING POC

by RandomRobbieBF · infoleak

https://github.com/RandomRobbieBF/CVE-2024-10571

View Code ZIP pw:eip

The repository contains a functional proof-of-concept for CVE-2024-10571, demonstrating an unauthenticated Local File Inclusion (LFI) vulnerability in the Chartify WordPress plugin. The exploit leverages the 'source' parameter to include arbitrary files, potentially leading to remote code execution (RCE) if PHP files are accessible.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Chartify – WordPress Chart Plugin <= 2.9.5

No auth needed

Prerequisites: WordPress installation with Chartify plugin <= 2.9.5 · Access to the target's admin-ajax.php endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Chartify – WordPress Chart Plugin < 2.9.6 - Local File Inclusion

CRITICALVERIFIEDby iamnoooob,pdresearch

References (3)

Core 3

Core References

https://abrahack.com/posts/chart-builder-lfi/

Product

https://plugins.trac.wordpress.org/browser/chart-builder/tags/2.9.6/admin/partials/charts/actions/chart-builder-charts-actions-options.php?rev=3184238

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/d4837258-c749-4194-926c-22b67e20c1fc?source=cve

Scores

CVSS v3 9.8

EPSS 0.0484

EPSS Percentile 90.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-11-14

CWE

CWE-98

Status published

Products (2)

ays-pro/chartify < 2.9.6

ays-pro/Chartify – WordPress Chart Plugin < 2.9.5

Published Nov 14, 2024

Tracked Since Feb 18, 2026