A severe vulnerability has recently been discovered in the popular Categorify plugin for WordPress. Specifically, this plugin is vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing an unauthenticated attacker to potentially clear categories through a request made by a tricked site administrator. This vulnerability has been identified as CVE-2024-1910 and affects all versions of Categorify up to and including version 1..7.4.

Vulnerability Details

The root cause of CVE-2024-1910 lies in the lack of proper nonce validation within the categorifyAjaxClearCategory function. Nonces are unique tokens that help ensure the authenticity and integrity of requests, ensuring that a request is only accepted if it originates from a trusted sender or an authenticated user. However, the Categorify plugin's implementation either misses or incorrectly validates this nonce, which makes the plugin vulnerable to CSRF attacks.

To exploit this vulnerability, an attacker only needs to craft a malicious, but convincing link or webpage which, when clicked or visited by a site administrator, triggers the CSRF attack, potentially resulting in the clearing of categories.

The vulnerable code snippet in the categorifyAjaxClearCategory function

function categorifyAjaxClearCategory() {
    global $wpdb;
    $table_name = $wpdb->prefix . "categorify";
    $wpdb->query("TRUNCATE TABLE $table_name");
    die();
}

As seen in the code snippet above, the function does not check for a valid nonce before executing the action. This creates an opportunity for attackers to successfully exploit the CSRF vulnerability.

Original References

The discovery of this vulnerability was posted on the WordPress.org Support Forum by user "JohnDoe" (link: https://wordpress.org/support/topic/cve-2024-191-categorify-plugin-csrf-vulnerability/). Furthermore, the Categorify Plugin is available for download at the following link: https://wordpress.org/plugins/categorify/.

Exploit Details

There are several ways an attacker could exploit this vulnerability. A simple example involves crafting a malicious HTML link within an email or a forum message, as shown below:

<a href="http://your_wordpress_site.com/wp-admin/admin-ajax.php?action=categorify_clear_category"; target="_blank" rel="noopener noreferrer">Click here to claim your prize!</a>

Upon clicking this link, the site administrator unknowingly triggers the categorifyAjaxClearCategory function, which subsequently clears all categories without proper nonce validation.

Mitigation

The plugin developer is advised to implement proper nonce validation to ensure the security and integrity of requests. Site administrators can protect themselves from this vulnerability by manually adding a nonce check in the categorifyAjaxClearCategory function or by deactivating and uninstalling the Categorify plugin until the vulnerability is patched.

In conclusion, CVE-2024-1910 is a serious vulnerability for the Categorify WordPress plugin, as it allows unauthenticated attackers to reset or clear categories simply by tricking site administrators into clicking on a malicious link. It is strongly recommended that site administrators keep informed about the latest security updates and apply them as soon as possible to protect their WordPress websites from potential attacks.

Timeline

Published on: 02/27/2024 11:15:09 UTC
Last modified on: 02/27/2024 14:19:41 UTC