What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2024-10571, is a Local File Inclusion (LFI) flaw affecting the Chartify – WordPress Chart Plugin. It allows unauthenticated attackers to include and execute arbitrary files on the server via the 'source' parameter. This is critical because successful exploitation can lead to the execution of any PHP code present in included files, potentially bypassing access controls, exfiltrating sensitive data, or achieving full code execution on the compromised server. The ability for unauthenticated users to achieve remote code execution makes this a severe threat to affected WordPress installations.

What are the CVSS score, severity level, and disclosure details?

The CVSS score for CVE-2024-10571 is 9.8, which corresponds to a Critical severity level. The vulnerability was published on November 14, 2024, at 11:00:12 UTC. The CVE record was last modified on April 8, 2026, at 17:25:50 UTC.

Which products, vendors, systems, and versions are affected?

This vulnerability affects the Chartify – WordPress Chart Plugin for WordPress. Specifically, all versions up to, and including, 2.9.5 are vulnerable.

What is the technical root cause and attack vector?

The technical root cause of CVE-2024-10571 is a Local File Inclusion (LFI) vulnerability. The attack vector involves manipulating the 'source' parameter in requests to the Chartify plugin. This flaw allows an attacker to specify arbitrary file paths, which the application then includes and potentially executes. This falls under the CWE category CWE-98: Improper Control of File Access or Permissions (though the provided data lists CWE-98, it's more precisely related to CWE-22: Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' combined with LFI).

How can this vulnerability be exploited?

Exploitation of this vulnerability involves an unauthenticated attacker crafting a request to the WordPress site, specifically targeting the Chartify plugin, and manipulating the 'source' parameter. By providing a crafted file path in this parameter, the attacker can force the plugin to include and attempt to execute arbitrary files on the server. If the server allows the upload of "safe" file types (like images) that contain malicious PHP code (e.g., via a PHP polyglot image or by abusing other file upload functionalities), the attacker can include these files and achieve full remote code execution. This can lead to:

• Bypassing access controls.
• Obtaining sensitive data from the server.
• Executing arbitrary PHP code, potentially leading to full system compromise.

What public intelligence references and advisories exist?

The primary public intelligence reference for this vulnerability is its CVE identifier: CVE-2024-10571.

What is the risk assessment and urgency level?

The risk assessment for CVE-2024-10571 is Extremely High. With a CVSS score of 9.8, it is classified as Critical severity. The vulnerability allows unauthenticated attackers to achieve remote code execution (RCE) by including and executing arbitrary files. This means an attacker can gain full control over the affected WordPress site and potentially the underlying server without needing any credentials. The urgency level for addressing this vulnerability is Immediate. Organizations using the Chartify – WordPress Chart Plugin must take urgent action to update or remove the affected plugin to prevent compromise.