CVE-2024-1909: Unmasking the Cross-Site Request Forgery Vulnerability in Categorify WordPress Plugin (versions up to 1..7.4)

Hey, WordPress aficionados! You might have heard about security vulnerabilities in plugins, right? Well, a new one has been discovered and assigned a CVE identifier - CVE-2024-1909. It's a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to, and including, 1..7.4 of the widely-used Categorify plugin for WordPress. This vulnerability has been found in categorifyAjaxRenameCategory function, and we're here to give you all the inside scoop, complete with code snippets, original references, and exploit details!

The Vulnerability

CSRF attacks are executed when an unauthenticated attacker tricks a site administrator into performing some unintended action, such as clicking on a link or submitting a form unknowingly. In our case, the attacker could forge a request to rename categories.

Now, why is categorifyAjaxRenameCategory function to blame here? It's simply because of the missing or incorrect nonce validation. If you're wondering what a nonce is, it's a one-time-use token included in the HTTP request that helps in verifying the source of the request, ensuring that users do not execute unwanted actions.

Here's how the exploit works, step by step

1. The attacker prepares a malicious link or webpage containing a crafted CSRF payload, which when clicked by a site administrator, sends a forged request to the categorifyAjaxRenameCategory function.
2. Due to the missing or incorrect nonce validation in the function, WordPress is not able to verify the authenticity of the request.
3. As a result, the function executes the attacker's request to rename a category, without the site administrator even being aware of this action.

Let's take a closer look at the vulnerable categorifyAjaxRenameCategory function

function categorify_ajax_rename_category() {
    $categoryId = $_POST['categoryId'];
    $name = $_POST['newName'];

    $category = get_term_by('id', $categoryId, 'category');
    wp_update_term($category->term_id, 'category', array(
        'name' => $name
    ));

    die();
}

Notice how there's no nonce validation present in this code? This is the root cause of the CSRF vulnerability.

To fix this issue, we must implement nonce validation using check_ajax_referer function that comes with WordPress:

function categorify_ajax_rename_category() {
    check_ajax_referer('categorify_rename', 'security');
    
    $categoryId = $_POST['categoryId'];
    $name = $_POST['newName'];

    $category = get_term_by('id', $categoryId, 'category');
    wp_update_term($category->term_id, 'category', array(
        'name' => $name
    ));

    die();
}

Now, the plugin verifies the request's authenticity before processing it, thus mitigating the CSRF vulnerability.

To dig deeper into this vulnerability, you can visit the original references below

- CVE-2024-1909 details on the official CVE site
- WordPress Plugin CVE-2024-1909 Technical Details and Fix
- WordPress.org Categorify Plugin Page

Summary

In conclusion, CVE-2024-1909 is a critical CSRF vulnerability in the Categorify WordPress plugin versions up to, and including, 1..7.4. The root cause is the missing or incorrect nonce validation in the categorifyAjaxRenameCategory function. Make sure to update your installations to a secure version, and remain vigilant against potential threats. Stay safe, WordPress community!

Timeline

Published on: 02/27/2024 11:15:09 UTC
Last modified on: 02/27/2024 14:19:41 UTC