Chartify < 3.5.4 – Cross-Site Request Forgery | CVE 2025-54673 | Plugin Vulnerabilities

Description

The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 3.5.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/af076acb-f0a8-4f47-bfa6-74e20759f764

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Xuan Chien

Verified

No

WPVDB ID

5aae32d5-540c-48e1-a1b4-146549d62875

Timeline

Publicly Published

2025-07-30 (about 10 months ago)

Added

2025-08-04 (about 10 months ago)

Last Updated

2025-08-04 (about 10 months ago)

Other

Published

Title

Published

2025-03-11

Title

Frontpage category filter <= 1.0.2 - Cross-Site Request Forgery

Published

2023-05-31

Title

TS Webfonts for さくらのレンタルサーバ < 3.1.3 - Font Type Settings Change via CSRF

Published

2025-01-07

Title

TubePress.NET <= 4.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-06-27

Title

Społecznościowa 6 PL 2013 <= 2.0.6 - Cross-Site Request Forgery

Published

2024-04-29

Title

5280 Bootstrap Modal Contact Form <= 1.0 - Cross-Site Request Forgery to Bulk Delete Messages