Description
Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Chartify chart-builder allows Cross Site Request Forgery.This issue affects Chartify: from n/a through <= 3.5.3.
Published: 2025-08-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the Ays Pro Chartify plugin for WordPress, allowing attackers to forge requests that the site will accept as legitimate from an authenticated user. Because the flaw exists in the chart‑building functionality, an attacker can submit forms or AJAX calls that trigger unwanted actions within the user’s account, potentially altering data or settings. The flaw is classified as CWE‑352, indicating a weakness in preventing the use of forged requests.

Affected Systems

Any WordPress site that has the Chartify plugin installed in a version up to and including 3.5.3 is vulnerable. The affected product is the "Ays Pro: Chartify" WordPress plugin; no specific WordPress core versions are mentioned, so any compatible WordPress installation using the vulnerable plugin is at risk.

Risk and Exploitability

The CVSS score of 4.3 labels the problem as moderate. The EPSS score of less than 1% indicates that real‑world exploitation is unlikely at the moment. The vulnerability is not listed in the CISA KEV catalogue, further suggesting limited exploitation. The likely attack vector is a crafted HTTP request sent by an attacker’s domain that the victims are already authenticated to the site, leading to an unintended action without additional user interaction.

Generated by OpenCVE AI on April 30, 2026 at 09:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Chartify plugin to the latest version, which removes the CSRF flaw; if no newer version is available, wait for vendor release.
  • If an update cannot be applied immediately, restrict access to the chart‑building interface by ensuring that only logged‑in users with proper permissions can reach the vulnerable endpoints.
  • Apply a web application firewall rule to detect and block suspicious CSRF patterns targeting the Chartify editor routes.

Generated by OpenCVE AI on April 30, 2026 at 09:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24720 Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Chartify allows Cross Site Request Forgery. This issue affects Chartify: from n/a through 3.5.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Chartify allows Cross Site Request Forgery. This issue affects Chartify: from n/a through 3.5.3. Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Chartify chart-builder allows Cross Site Request Forgery.This issue affects Chartify: from n/a through <= 3.5.3.
Title WordPress Chartify Plugin plugin <= 3.5.3 - Cross Site Request Forgery (CSRF) Vulnerability WordPress Chartify plugin <= 3.5.3 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro chartify
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro chartify
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Chartify allows Cross Site Request Forgery. This issue affects Chartify: from n/a through 3.5.3.
Title WordPress Chartify Plugin plugin <= 3.5.3 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Ays-pro Chartify
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:33.976Z

Reserved: 2025-07-28T10:55:38.572Z

Link: CVE-2025-54673

cve-icon Vulnrichment

Updated: 2025-08-14T14:57:01.156Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:45.827

Modified: 2026-04-23T15:32:47.903

Link: CVE-2025-54673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:15:28Z

Weaknesses