प्लेटफ़ॉर्म
wordpress
घटक
chart-builder
में ठीक किया गया
3.6.4
CVE-2025-66529 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Chartify chart-builder WordPress plugin. This flaw allows an attacker to potentially execute unauthorized actions on a user's account if they can trick the user into clicking a malicious link. The vulnerability impacts versions of Chartify from 0.0.0 up to and including 3.6.3, and a fix is available in version 3.6.4.
A successful CSRF attack could allow an attacker to modify chart configurations, delete existing charts, or potentially gain access to sensitive data associated with the charts. The impact is amplified if the plugin is used in environments where chart data contains confidential information. While direct data exfiltration might not be possible, an attacker could manipulate the plugin's functionality to disrupt services or compromise user accounts. The blast radius depends on the plugin's permissions and the sensitivity of the data it handles.
CVE-2025-66529 was publicly disclosed on 2025-12-09. No public proof-of-concept (PoC) code has been identified at the time of writing. The EPSS score is pending evaluation, but given the public disclosure and the relatively straightforward nature of CSRF exploitation, a medium probability of exploitation is likely. It is not currently listed on the CISA KEV catalog.
Websites utilizing the Chartify plugin, particularly those handling sensitive data within charts, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if they haven't applied the update. Sites with weak user authentication or those that haven't implemented robust CSP policies are especially susceptible.
• wordpress / composer / npm:
grep -r 'chartify/chart-builder' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep Chartify• wordpress / composer / npm:
wp plugin update Chartify --version=3.6.4disclosure
एक्सप्लॉइट स्थिति
EPSS
0.02% (6% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-66529 is to upgrade the Chartify plugin to version 3.6.4 or later. If upgrading immediately is not feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the plugin can load resources. Additionally, ensure that users are educated about the risks of clicking on suspicious links and that appropriate input validation is in place to prevent malicious requests. After upgrading, verify the fix by attempting to trigger a chart modification via a crafted URL – the request should be blocked or require authentication.
संस्करण 3.6.4 में अपडेट करें, या एक नया पैच किया गया संस्करण
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-66529 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Chartify WordPress plugin versions 0.0.0–3.6.3, allowing attackers to perform unauthorized actions.
You are affected if you are using Chartify plugin versions 0.0.0 through 3.6.3. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Chartify plugin to version 3.6.4 or later to resolve the vulnerability. Consider implementing CSP as an additional layer of defense.
While no active exploitation has been confirmed, the vulnerability is publicly disclosed and the ease of CSRF exploitation suggests a potential risk.
Refer to the Chartify plugin's official website or WordPress plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।