{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11171", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-29T17:24:27.372Z", "datePublished": "2025-10-08T05:24:49.497Z", "dateUpdated": "2026-04-08T17:14:20.755Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:20.755Z"}, "affected": [{"vendor": "ays-pro", "product": "Chartify \u2013 WordPress Chart Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Chartify \u2013 WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an unauthenticated AJAX action that dispatches to admin-class methods based on a request parameter, without any nonce or capability checks. This makes it possible for unauthenticated attackers to execute administrative functions via the wp-admin/admin-ajax.php endpoint granted they can identify callable method names."}], "title": "Chartify \u2013 WordPress Chart Plugin <= 3.5.9 - Missing Authentication for Administrative Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa3e030b-8ef1-4dbc-940d-6c2ab2683620?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/chart-builder/tags/3.5.8/includes/class-chart-builder.php#L247"}, {"url": "https://plugins.trac.wordpress.org/browser/chart-builder/tags/3.5.8/admin/class-chart-builder-admin.php#L675"}, {"url": "https://plugins.trac.wordpress.org/browser/chart-builder/tags/3.5.8/admin/class-chart-builder-admin.php#L1625"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3372188%40chart-builder%2Ftags%2F3.6.0&new=3372188%40chart-builder%2Ftags%2F3.6.0"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-306 Missing Authentication for Critical Function", "cweId": "CWE-306", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}, {"lang": "en", "type": "finder", "value": "Kai Aizen"}], "timeline": [{"time": "2025-09-29T17:40:08.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-07T16:43:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-08T16:12:25.016688Z", "id": "CVE-2025-11171", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-08T16:16:23.576Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11171", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-08T16:12:25.016688Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-08T16:16:19.434Z"}}], "cna": {"title": "Chartify \u2013 WordPress Chart Plugin <= 3.5.9 - Missing Authentication for Administrative Function", "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}, {"lang": "en", "type": "finder", "value": "Kai Aizen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ays-pro", "product": "Chartify \u2013 WordPress Chart Plugin", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.5.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-29T17:40:08.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-07T16:43:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa3e030b-8ef1-4dbc-940d-6c2ab2683620?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/chart-builder/tags/3.5.8/includes/class-chart-builder.php#L247"}, {"url": "https://plugins.trac.wordpress.org/browser/chart-builder/tags/3.5.8/admin/class-chart-builder-admin.php#L675"}, {"url": "https://plugins.trac.wordpress.org/browser/chart-builder/tags/3.5.8/admin/class-chart-builder-admin.php#L1625"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3372188%40chart-builder%2Ftags%2F3.6.0&new=3372188%40chart-builder%2Ftags%2F3.6.0"}], "descriptions": [{"lang": "en", "value": "The Chartify \u2013 WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an unauthenticated AJAX action that dispatches to admin-class methods based on a request parameter, without any nonce or capability checks. This makes it possible for unauthenticated attackers to execute administrative functions via the wp-admin/admin-ajax.php endpoint granted they can identify callable method names."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-08T05:24:49.497Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11171", "state": "PUBLISHED", "dateUpdated": "2025-10-08T16:16:23.576Z", "dateReserved": "2025-09-29T17:24:27.372Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-08T05:24:49.497Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Chartify \u2013 WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an unauthenticated AJAX action that dispatches to admin-class methods based on a request parameter, without any nonce or capability checks. This makes it possible for unauthenticated attackers to execute administrative functions via the wp-admin/admin-ajax.php endpoint granted they can identify callable method names."}], "id": "CVE-2025-11171", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-08T06:15:34.270", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/chart-builder/tags/3.5.8/admin/class-chart-builder-admin.php#L1625"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/chart-builder/tags/3.5.8/admin/class-chart-builder-admin.php#L675"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/chart-builder/tags/3.5.8/includes/class-chart-builder.php#L247"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3372188%40chart-builder%2Ftags%2F3.6.0&new=3372188%40chart-builder%2Ftags%2F3.6.0"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa3e030b-8ef1-4dbc-940d-6c2ab2683620?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:27:43.027478+00:00", "value": {"mitigation_remediation": ["Upgrade the Chartify plugin to version 3.6.0 or later, where the insecure AJAX action has been removed or secured.", "If an upgrade is not immediately possible, remove or block the ajax_action hook that exposes the vulnerable endpoint (for example, by editing the plugin code to require authentication and nonce checks).", "Review WordPress admin user roles and restrict access to all users except trusted site owners.", "Monitor site logs for any unauthorized calls to the admin-ajax.php endpoint and consider implementing a Web Application Firewall rule to filter such requests."], "summary": {"action": "Patch Now", "impact": "Unauthorized Administrative Function Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the ays-pro Chartify \u2013 WordPress Chart Plugin version 3.5.9 and earlier. Sites running WordPress with any of these plugin versions are at risk if the plugin is installed and unchanged.", "description_and_impact": "The Chartify plugin contains an unauthenticated AJAX endpoint that dispatches to privileged admin methods without nonce or capability verification. This allows anyone to invoke administrative functions through wp-admin/admin-ajax.php. An attacker who can determine what method names are exposed could modify or delete chart data, change user settings, or potentially inject code, compromising the site\u2019s integrity and confidentiality. The weakness is identified as CWE-306.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates moderate risk, and the EPSS score of less than 1\u202f% suggests exploitation is presently unlikely. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can exploit it via the public wp-admin/admin-ajax.php endpoint once they discover callable method names; no special privileges or network access are required beyond the ability to send HTTP requests."}}}}, "created": "2025-10-09T12:55:17.626148+00:00", "updated": "2026-04-21T02:30:25.835227+00:00", "vendors": ["ays-pro", "ays-pro$PRODUCT$chartify", "wordpress", "wordpress$PRODUCT$wordpress"]}