CVE-2025-11171: Missing Authentication in Chartify WordPress Plugin

Keywords: CVE-2025-11171, Chartify WordPress vulnerability, missing authentication, WordPress security, unauthenticated AJAX exploit, WordPress plugin vulnerability, CWE-306, WordPress chart plugin security, authentication bypass, WordPress CVE 2025

Table of Contents

• Overview
• Vulnerability Details
• Technical Analysis
• Attack Vector
• Remediation Guide
• CVSS Metrics
• References
• Security Contact

Overview

Chartify WordPress Plugin Authentication Bypass Vulnerability (CVE-2025-11171) - Critical security flaw allowing unauthenticated access to administrative functions in WordPress chart building plugin.

A critical authentication bypass vulnerability was discovered in the Chartify WordPress Chart Plugin that allows unauthenticated attackers to execute administrative functions.

Discovered by: Kai Aizen & Avraham Shemesh (SnailSploit)
Published: October 7, 2025
CVSS Score: 5.3 (Medium)
CWE: CWE-306 - Missing Authentication for Critical Function
Plugin: Chartify – WordPress Chart Plugin
Attack Type: Unauthenticated AJAX Admin Function Execution
Required Privileges: None (Unauthenticated Attack)

Vulnerability Details

Description

The Chartify WordPress Chart Plugin contains a missing authentication vulnerability in all versions up to and including 3.5.9. The plugin registers an unauthenticated AJAX action that dispatches to admin-class methods based on a request parameter without any nonce or capability checks.

Impact

This vulnerability allows unauthenticated attackers to:

• Execute administrative functions via the wp-admin/admin-ajax.php endpoint
• Bypass authentication controls
• Potentially manipulate plugin settings and data

Affected Versions

• Vulnerable: All versions ≤ 3.5.9
• Patched: Version 3.6.0 and above

CVSS v3.1 Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Metric	Value
Attack Vector	Network (AV:N)
Attack Complexity	Low (AC:L)
Privileges Required	None (PR:N)
User Interaction	None (UI:N)
Scope	Unchanged (S:U)
Confidentiality	None (C:N)
Integrity	Low (I:L)
Availability	None (A:N)

Technical Details

The vulnerability exists in the AJAX handler implementation where:

1. The plugin registers an unauthenticated AJAX action
2. This action dispatches to admin-class methods based on request parameters
3. No nonce validation is performed
4. No capability checks are implemented
5. Attackers who can identify callable method names can invoke them directly

Attack Vector

POST /wp-admin/admin-ajax.php

The vulnerability can be exploited through the WordPress admin-ajax.php endpoint without authentication, provided the attacker can identify valid method names.

Remediation

For Site Administrators

Immediate Action Required:

1. Update to Chartify version 3.6.0 or later immediately
2. Review your site's access logs for suspicious AJAX requests to admin-ajax.php
3. If you cannot update immediately, consider temporarily disabling the plugin

Update Instructions

1. Navigate to Plugins > Installed Plugins in WordPress admin
2. Locate "Chartify – WordPress Chart Plugin"
3. Click Update Now to upgrade to version 3.6.0 or later
4. Verify the update was successful

For Developers

Ensure all AJAX handlers implement proper security controls:

// Example of proper AJAX security
add_action('wp_ajax_your_action', 'your_callback');

function your_callback() {
    // Verify nonce
    check_ajax_referer('your_nonce_action', 'nonce');
    
    // Check capabilities
    if (!current_user_can('manage_options')) {
        wp_die('Unauthorized');
    }
    
    // Your secure code here
}

Timeline

• October 7, 2025 - Vulnerability publicly disclosed
• October 8, 2025 - CVE record updated
• Version 3.6.0 - Patch released by plugin vendor

References

• Wordfence Intelligence Database Entry
• WordPress Plugin Trac
• MITRE CVE Entry

Credits

Researchers:

• Kai Aizen - SnailSploit
• Avraham Shemesh - SnailSploit

Disclosure Process: Coordinated through Wordfence Bug Bounty Program

Disclaimer

This information is provided for security research and defensive purposes only. Any exploitation of this vulnerability for malicious purposes is illegal and unethical. Always obtain proper authorization before testing systems you do not own.

Contact

For questions or additional information about this vulnerability:

• Email: kai@owasp.com
• Website: snailsploit.com
• Organization: SnailSploit Security Research

---

Last updated: October 13, 2025