Platform
wordpress
Component
chart-builder
Fixed in
3.6.4
CVE-2025-66529 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Chartify chart-builder WordPress plugin. This flaw allows an attacker to potentially execute unauthorized actions on a user's account if they can trick the user into clicking a malicious link. The vulnerability impacts versions of Chartify from 0.0.0 up to and including 3.6.3, and a fix is available in version 3.6.4.
A successful CSRF attack could allow an attacker to modify chart configurations, delete existing charts, or potentially gain access to sensitive data associated with the charts. The impact is amplified if the plugin is used in environments where chart data contains confidential information. While direct data exfiltration might not be possible, an attacker could manipulate the plugin's functionality to disrupt services or compromise user accounts. The blast radius depends on the plugin's permissions and the sensitivity of the data it handles.
CVE-2025-66529 was publicly disclosed on 2025-12-09. No public proof-of-concept (PoC) code has been identified at the time of writing. The EPSS score is pending evaluation, but given the public disclosure and the relatively straightforward nature of CSRF exploitation, a medium probability of exploitation is likely. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66529 is to upgrade the Chartify plugin to version 3.6.4 or later. If upgrading immediately is not feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the plugin can load resources. Additionally, ensure that users are educated about the risks of clicking on suspicious links and that appropriate input validation is in place to prevent malicious requests. After upgrading, verify the fix by attempting to trigger a chart modification via a crafted URL – the request should be blocked or require authentication.
Update to version 3.6.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66529 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Chartify WordPress plugin versions 0.0.0–3.6.3, allowing attackers to perform unauthorized actions.
You are affected if you are using Chartify plugin versions 0.0.0 through 3.6.3. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Chartify plugin to version 3.6.4 or later to resolve the vulnerability. Consider implementing CSP as an additional layer of defense.
While no active exploitation has been confirmed, the vulnerability is publicly disclosed and the ease of CSRF exploitation suggests a potential risk.
Refer to the Chartify plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.