The Categorify plugin for WordPress is vulnerable to unauthorized modification of data. This is due to a missing capability check on the categorifyAjaxDeleteCategory function in all versions up to, and including, 1..7.4. As a result, authenticated attackers with subscriber-level access and above can delete categories.

Exploit Details

The Categorify plugin for WordPress (versions up to 1..7.4) is a popular tool that allows users to easily categorize their posts. However, a serious vulnerability has been discovered in the plugin that allows for unauthorized data modification. This is because of a missing capability check in the categorifyAjaxDeleteCategory function. This makes it possible for authenticated attackers, who have a subscriber-level account or higher on a target WordPress site that employs the plugin, to delete categories.

Here's the code snippet in question

function categorify_ajax_delete_category() {
    global $wpdb;
    $category_id = intval( $_POST['cat_id'] );
    $table_name = $wpdb->prefix . "categorify_categories";
    $result = $wpdb->delete($table_name, array('catID' => $category_id));

    if ($result) {
        echo 'success';
    } else {
        echo 'fail';
    }

    die();
}
add_action('wp_ajax_categorify_delete_category', 'categorify_ajax_delete_category');

As shown in the code above, the categorify_ajax_delete_category() function in the Categorify plugin deletes a category based on the POST parameter 'cat_id', and does this without checking for proper user capabilities.

In order to exploit this vulnerability, an authenticated attacker can issue an AJAX request to the targeted site containing the POST parameters with the action 'categorify_delete_category' and the 'cat_id' value set to the targeted category ID.

1. CVE-2024-1649 Vulnerability Details
2. Categorify WordPress Plugin on WordPress.org
3. WordPress Developer Support: Capability Checks
4. WordPress Codex: WP_Ajax

Recommendations

To mitigate this vulnerability, it is strongly recommended for WordPress site administrators to perform the following:

Review the permissions of user accounts to ensure that only trusted users have higher privileges.

3. Regularly monitor your site for any suspicious activity, and keep all plugins, themes, and WordPress core up-to-date.

Conclusion

The CVE-2024-1649 vulnerability in the Categorify WordPress plugin is a critical issue that allows unauthorized data modification. It is essential for site administrators to stay vigilant and take necessary actions to keep their WordPress installations secure, including updating to the latest version of the plugin and monitoring user activities.

Timeline

Published on: 02/27/2024 11:15:08 UTC
Last modified on: 02/27/2024 14:19:41 UTC