The vulnerability resides in the Ays Pro Chartify chart‑builder plugin for WordPress and permits a Cross‑Site Request Forgery (CSRF) attack. An attacker can trick an authenticated user into performing unwanted actions through the plugin’s interface, potentially leading to unauthorized modification of chart data or settings. Because the flaw allows actions to be executed in the context of the logged‑in user, it can affect the page’s integrity and any data that the user is permitted to alter. The weakness is consistent with CWE‑352, a classic CSRF flaw.

Installed instances of the WordPress Chartify plugin version 3.6.3 or earlier are affected. The advisory specifies that all releases from the earliest available version up to and including 3.6.3 contain the flaw. No specific vendor or product names beyond the Chartify chart‑builder are included, but the plugin developers are listed as Ays Pro.

The flaw carries a CVSS score of 4.3, indicating moderate risk, and the EPSS score is reported as less than 1 %, which shows a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further suggesting it has not been widely exploited. A likely attack path involves a compromised or spoofed website that loads the infected page in an authenticated user’s browser, where the CSRF token is missing or unchecked, enabling the attacker to trigger chart‑builder queries as that user. No special privileges are required beyond the normal, authentic user session of the target. Given the low EPSS, the risk is considered moderate but should still be mitigated promptly.