CVE-2024-11928

The iChart – Easy Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 2.1.0. The flaw resides in insufficient input sanitization and output escaping of the 'width' parameter, which is used to define chart dimensions. This allows authenticated attackers with at least Contributor-level access to inject arbitrary web scripts that are stored on the server and executed when any user visits the affected page [1].

To exploit this vulnerability, an attacker must have a WordPress account with Contributor privileges or higher. The attacker can craft a shortcode or block containing a malicious 'width' value that includes JavaScript code. When the page containing the injected shortcode is rendered, the script executes in the context of the victim's browser, bypassing the plugin's intended output escaping [1].

Successful exploitation leads to Stored XSS, enabling the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or defacing the site. The impact is limited to pages where the injected chart is displayed, but any user visiting those pages is affected. No authentication is required for the victim; the attacker's payload is stored and served automatically [1].

As of the publication date, the vulnerability remains unpatched in the free version of iChart. Users are advised to restrict Contributor-level access to trusted individuals or apply a web application firewall rule to filter malicious input. The vendor has not released a security update for this issue [1].