Description
A critical vulnerability has been identified in the Chartify – WordPress Chart Plugin in versions up to, and including, 2.9.5. This Local File Inclusion vulnerability is exploited via the ‘source’ parameter, allowing unauthorized attackers to include and execute arbitrary files on the server. As a result, malicious actors can bypass access controls, obtain sensitive information, or execute any PHP code available in the included files.
Affected Product(s)
- Chartify – WordPress Chart Plugin (Versions up to and including 2.9.5)
Technical Details
The Chartify – WordPress Chart Plugin is a widely used tool for creating dynamic and static charts, graphs, and diagrams on WordPress websites. It’s a crucial component for many website owners seeking to visualize data efficiently. However, a significant security flaw has been uncovered in this plugin, specifically in its handling of the ‘source’ parameter, leading to a Local File Inclusion (LFI) vulnerability (CVE-2024-10571).
Technical specifics reveal that the vulnerability arises when an attacker manipulates the ‘source’ parameter in a request to the Chartify plugin. This parameter, inadequately sanitized, can be exploited to reference arbitrary files on the server. When the server processes these requests, it executes the content of the specified file, granting attackers the ability to inject and run malicious PHP code.
The severity of this vulnerability is highlighted by its high CVSS scores:
- CVSS v3 Base Score: 9.8 (Critical)
- CVSS v2 Base Score: 10.0 (High)
These scores indicate the high impact of potential exploitation and the ease with which it can be executed. The unauthenticated nature of the attack means it can be exploited without any prior access or credentials, significantly increasing the risk to exposed systems. Affected versions include all releases up to and including version 2.9.5.
The Chartify plugin, developed by AYS Pro, has had multiple iterations:
- Initial versions (1.x.x)
- Major updates through 2.x.x versions up to the vulnerable 2.9.5
The vulnerability is notably observed in how the plugin handles file inclusion, relying on user input that isn’t properly sanitized or validated. Common attack vectors include:
- Inserting filenames in the ‘source’ parameter that lead to inclusion of sensitive configuration files
- Crafting URLs to include files that contain malicious scripts, leading to remote code execution (RCE)
The implications of such an attack are extensive. Threat actors can read sensitive files, manipulate server-side code, and, in some cases, establish backdoors for persistent access.
The Local File Inclusion vulnerability in the Chartify plugin has caught the attention of security researchers and organizations. Adversary groups often leverage such vulnerabilities to perform targeted attacks, where exploiting a single unpatched plugin can compromise an entire application stack. Moreover, automated exploit tools can be easily configured to seek out and exploit these vulnerabilities across a wide range of internet-facing WordPress sites.
Due to the severity and impact, this vulnerability has been actively discussed in security bulletins and forums. For example:
- Detailed analysis and proof-of-concept exploits have been shared by Wordfence and other security analyzers.
- The vulnerability has been tracked in reputed databases such as MITRE’s CVE and NIST’s NVD.
In response, developers are urged to update to version 2.9.6 or later, where this issue has been patched. As part of the mitigation strategy:
- Proper input validation and sanitization have been implemented to ensure that user-supplied input does not lead to arbitrary file inclusion.
- Enhanced security checks are in place to prevent similar flaws in future updates.
In essence, the combination of an unauthenticated Local File Inclusion with high ease of exploitation makes this a critical threat that demands immediate attention and remediation from users and administrators of the Chartify plugin on their WordPress installations.
Weakness
The weakness associated with this vulnerability is categorized under CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’). This reflects a failure in the application’s handling of file inputs—specifically, not validating and sanitizing the ‘source’ parameter, thus allowing external files to be included and executed.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to the server, read sensitive data, execute arbitrary PHP code, and potentially take full control of the server. This jeopardizes the confidentiality, integrity, and availability of the data and the hosting environment.
Active Exploitation
There have been observations of active exploitation of this vulnerability. Adversary groups have been noted to exploit similar vulnerabilities, and in this case, automated threats have been detected scanning for and targeting the Chartify plugin version before 2.9.6.
Ransomware Association
While there is no specific ransomware attack confirmed to be exploiting this particular vulnerability, the nature of Local File Inclusion vulnerabilities makes them an attractive vector for ransomware operators. They can use such vulnerabilities to gain initial access before deploying their malicious payloads.
Mitigation and Resolution
We have released a patch that addresses this vulnerability in version 2.9.6 of the Chartify plugin. It is crucial to:
- Update immediately to version 2.9.6 or later to secure your WordPress installation.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Check your WordPress plugins and ensure they are all up to date.
- Regularly scan your WordPress installation for vulnerabilities.
- Consider employing a web application firewall (WAF) to add an extra layer of security against similar vulnerabilities.
- Review server logs for any suspicious activity that may indicate an attempted exploit.
References
- CVE MITRE Details
- NVD Database
- WordPress Plugins: Chart Builder Charts Actions Options
- WordFence Vulnerabilities