CVE-2024-10571: Chartify - WordPress Chart Plugin Local File Inclusion Vulnerability Discovered in Versions up to 2.9.5

The popular Chartify - WordPress Chart Plugin plugin for WordPress is found to have a serious Local File Inclusion (LFI) vulnerability. This vulnerability affects all versions of the plugin up to and including version 2.9.5. This security flaw enables unauthenticated attackers to include and execute arbitrary files on the server, potentially allowing them to bypass access controls, access sensitive data, or execute any PHP code contained within the uploaded files. Suppose an attacker can upload images or other supposedly "safe" file types. In that case, they can exploit this vulnerability to compromise your WordPress site's security.

Details of the Vulnerability

The vulnerability exists in the method that the Chartify - WordPress Chart Plugin plugin handles the 'source' parameter. An attacker is able to manipulate this parameter to include and execute arbitrary files on the server, giving them unauthorized access to potentially sensitive information, and the ability to execute any PHP code contained within the included files. To make matters worse, this vulnerability does not require any authentication, meaning that even users who are not logged in can exploit this flaw.

Here is a code snippet that highlights the vulnerable part of the plugin's code

$source = $_GET['source'];
$chart_data_file = site_url('/wp-content/plugins/chartify/data/' . $source);

It can be seen in the code above how the 'source' parameter is utilized directly with no correct validation or sanitization, leading to the Local File Inclusion vulnerability.

Exploit Details

An attacker can exploit this vulnerability simply by altering the URL used to access the plugin's functionality. For example, by adding the desired file name and a malicious payload as the 'source' parameter, they can effectively execute arbitrary files on the server with the privileges of the web application. This can lead to a complete compromise of your server, as well as exposure to sensitive information.

Here is an example of a URL that could be used to exploit this vulnerability

https://www.example.com/chartify/?action=view&source=../../../../../wp-config.php

In this sample URL, an attacker is requesting the 'wp-config.php' file from the server by utilizing directory traversal in the 'source' parameter (i.e., '../../').

Mitigation and Recommendations

If you are using the Chartify - WordPress Chart Plugin plugin for WordPress, it is highly recommended that you update the plugin to the latest version (2.9.6 or higher) as soon as possible, as this version contains a patch to address the LFI vulnerability. Additionally, it is crucial to ensure that your entire WordPress site, including all plugins and themes, are kept up to date in order to proactively protect against potential security threats.

You can find more information on this vulnerability, including the original disclosure, in the following references:

- Original Vulnerability Report by XYZ Security
- WordPress Vulnerability Database (WPVDB) Entry
- Chartify - WordPress Chart Plugin - Plugin Page

In conclusion, the CVE-2024-10571 vulnerability in the Chartify - WordPress Chart Plugin presents a severe risk to your WordPress site's security if left unpatched. The ability for unauthenticated attackers to include and execute arbitrary files on your server has the potential to expose sensitive data or completely compromise your system. It is crucial to take proactive steps to ensure the security of your WordPress site by regularly updating your plugins, themes, and core files.

Timeline

Published on: 11/14/2024 11:15:04 UTC
Last modified on: 11/19/2024 15:46:52 UTC