CVE-2024-10571

CRITICAL EXPLOITED NUCLEI

Ays-pro Chartify < 2.9.6 - Remote File Inclusion

Title source: rule

Description

The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Exploits (1)

nomisec WORKING POC

by RandomRobbieBF · infoleak

https://github.com/RandomRobbieBF/CVE-2024-10571

View Code ZIP pw:eip

Nuclei Templates (1)

Chartify – WordPress Chart Plugin < 2.9.6 - Local File Inclusion

CRITICALVERIFIEDby iamnoooob,pdresearch

References (2)

[Product] https://plugins.trac.wordpress.org/browser/chart-builder/tags/2.9.6/admin/partials/charts/actions/chart-builder-charts-actions-options.php?rev=3184238

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/d4837258-c749-4194-926c-22b67e20c1fc?source=cve

Scores

CVSS v3 9.8

EPSS 0.8493

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2024-11-14

Classification

CWE

CWE-98

Status published

Affected Products (1)

ays-pro/chartify < 2.9.6

Timeline

Published Nov 14, 2024

Tracked Since Feb 18, 2026