vulnerability

WordPress Plugin: chart-builder: CVE-2025-11171: Missing Authentication for Critical Function

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:N/I:P/A:N)	Oct 7, 2025	Oct 8, 2025	Oct 9, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Published

Oct 7, 2025

Added

Oct 8, 2025

Modified

Oct 9, 2025

Description

The Chartify – WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an unauthenticated AJAX action that dispatches to admin-class methods based on a request parameter, without any nonce or capability checks. This makes it possible for unauthenticated attackers to execute administrative functions via the wp-admin/admin-ajax.php endpoint granted they can identify callable method names.

Solution

chart-builder-plugin-cve-2025-11171

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-11171
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/aa3e030b-8ef1-4dbc-940d-6c2ab2683620?source=api-prod
CVE-2025-11171
https://attackerkb.com/topics/CVE-2025-11171
CWE-306

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today