Description
The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-05
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Charts Ninja plugin for WordPress is vulnerable to stored cross‑site scripting through its 'chartid' shortcode attribute. Because input is inadequately sanitized and output unescaped, authenticated users with Contributor or higher privileges can inject arbitrary JavaScript that executes whenever another user views an affected page. This flaw permits defacement, theft of session cookies, or other malicious actions that compromise the confidentiality, integrity, and availability of the site for downstream users.

Affected Systems

All installations of the Charts Ninja plugin up to and including version 2.1.0, marketed by Common Ninja under the name "Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website." The vulnerability is present in every version of the plugin released before the 2.1.0 tag.

Risk and Exploitability

The flaw carries a CVSS score of 6.4, indicating moderate severity, and it has not been listed in CISA's KEV catalog. Exploitation requires only that the attacker obtain Contributor‑level access and that the injected code be embedded in a page rendered by the site. While the EPSS score is not available, the stored nature of the defect means the impact persists until the offending content is removed or the plugin is upgraded. An attacker could leverage this to insert persistent payloads that affect all users who view the page, potentially leading to widespread compromise within the affected WordPress site.

Generated by OpenCVE AI on May 5, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Charts Ninja plugin to the latest released version, which removes the 'chartid' injection vector.
  • Restrict Contributor or higher roles to trusted users only; consider lowering privileges if the role is not truly required.
  • If an upgrade is not possible, disable or remove the Charts Ninja plugin to eliminate the attack surface while monitoring for any remaining XSS attempts.

Generated by OpenCVE AI on May 5, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 02:45:00 +0000

Type Values Removed Values Added
Description The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'chartid' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-05T02:26:54.536Z

Reserved: 2026-03-23T23:26:58.201Z

Link: CVE-2026-4730

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T03:15:59.570

Modified: 2026-05-05T03:15:59.570

Link: CVE-2026-4730

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T03:30:14Z

Weaknesses