cleantalk
Vulnerabilities and Security Researches

Chartify – WordPress Chart Plugin, CVE-2025-11171

CVE, Research URL

CVE-2025-11171

Home page URL

Security reports for Chartify – WordPress Chart Plugin

Application

Chartify – WordPress Chart Plugin

Published on
Oct 08, 2025
Research Description
The Chartify – WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an unauthenticated AJAX action that dispatches to admin-class methods based on a request parameter, without any nonce or capability checks. This makes it possible for unauthenticated attackers to execute administrative functions via the wp-admin/admin-ajax.php endpoint granted they can identify callable method names.
Affected versions
max 3.6.0.
Status
vulnerable
Previous vulnerability researches
Captivate Sync (CVE-2025-60221) , Nov 10, 2025
Captivate Sync (CVE-2024-53820) , Dec 08, 2024
New vulnerability
JB News Ticker (CVE-2025-11804) , Nov 11, 2025
My auctions allegro (CVE-2025-10048) , Nov 11, 2025
Sertifier Certificates & Open Badges – Tutor LMS (CVE-2025-53214) , Nov 11, 2025
Toast Mobile Menu – PageSpeed Insights Friendly (CVE-2025-53238) , Nov 11, 2025
Stripe Payment forms for WordPress Plugin – WP Full Pay (CVE-2025-9322) , Nov 11, 2025