CVE-2025-11171 identifies a Missing Authentication vulnerability (CWE-306) in the Chartify – WordPress Chart Plugin, affecting all versions up to and including 3.5.9. The root cause is the plugin registering an unauthenticated AJAX action accessible via the wp-admin/admin-ajax.php endpoint. This AJAX action dispatches requests to administrative class methods based on a request parameter without performing any nonce verification or capability checks, which are standard WordPress security mechanisms to ensure that only authorized users can invoke sensitive functions. As a result, an unauthenticated attacker can craft requests that invoke administrative functions remotely, potentially modifying site data or configurations. The vulnerability does not impact confidentiality or availability directly but compromises integrity by allowing unauthorized administrative operations. Exploitation requires no authentication or user interaction, increasing the risk of automated attacks. The CVSS 3.1 base score is 5.3, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, and limited integrity impact. No patches or exploit code are currently publicly available, but the vulnerability is publicly disclosed and should be addressed promptly. This vulnerability highlights the importance of implementing proper authentication and authorization checks on all AJAX endpoints, especially those exposing administrative functionality in WordPress plugins.

The primary impact of CVE-2025-11171 is unauthorized execution of administrative functions within affected WordPress sites using the Chartify plugin. This can lead to unauthorized modifications of site data, configurations, or plugin behavior, potentially undermining the integrity of the website. Although confidentiality and availability are not directly affected, integrity violations can facilitate further attacks, such as defacement, data manipulation, or privilege escalation. Since exploitation requires no authentication or user interaction, attackers can automate attacks at scale, increasing the risk for websites with this plugin installed. Organizations relying on Chartify for data visualization on WordPress sites may face reputational damage, loss of user trust, and operational disruptions if attackers exploit this vulnerability. The lack of known exploits in the wild currently reduces immediate risk, but the public disclosure increases the likelihood of future exploitation attempts. The vulnerability is particularly impactful for organizations with public-facing WordPress sites that utilize this plugin without additional access controls or monitoring.

To mitigate CVE-2025-11171, organizations should immediately update the Chartify plugin to a patched version once available. In the absence of an official patch, administrators should disable or restrict access to the wp-admin/admin-ajax.php endpoint for unauthenticated users, for example by implementing web application firewall (WAF) rules that block suspicious AJAX requests targeting this plugin. Reviewing and hardening plugin code to add nonce verification and capability checks on all AJAX actions is critical. Site owners should audit their WordPress installations for unauthorized changes and monitor logs for unusual AJAX activity. Employing least privilege principles for WordPress users and limiting plugin usage to trusted environments can reduce exposure. Additionally, isolating administrative AJAX endpoints behind authentication or IP whitelisting can provide temporary protection. Regular backups and incident response plans should be in place to recover from potential compromises. Finally, security teams should track updates from the plugin vendor and WordPress security advisories for timely remediation.