CVE-2024-1653 is a missing authorization vulnerability (CWE-862) identified in the Categorify – WordPress Media Library Category & File Manager plugin developed by frenify. The vulnerability exists in all versions up to and including 1.0.7.4. Specifically, the categorifyAjaxUpdateFolderPosition function lacks proper capability checks, allowing authenticated users with subscriber-level permissions or higher to update the folder positions of categories and modify metadata of other taxonomies within the WordPress media library. This flaw enables unauthorized modification of organizational data structures and metadata, potentially disrupting content categorization and management workflows. The vulnerability requires the attacker to be authenticated but does not require elevated privileges beyond subscriber level, nor does it require user interaction beyond login. The CVSS 3.1 base score is 4.3 (medium severity), with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N indicating network exploitability, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, but integrity impact present. No patches or official fixes were linked at the time of reporting, and no known exploits have been observed in the wild. The vulnerability is relevant to any WordPress installation using the Categorify plugin, which is commonly used to enhance media library management by adding category and folder organization capabilities.

The primary impact of CVE-2024-1653 is unauthorized modification of media library folder positions and taxonomy metadata, which can degrade the integrity of content organization within WordPress sites. This can lead to confusion, misclassification of media assets, and potential disruption of workflows relying on accurate media categorization. Although the vulnerability does not expose confidential data or cause denial of service, it undermines data integrity and trustworthiness of the media management system. Attackers with subscriber-level access, which is a low privilege role often granted to registered users or commenters, can exploit this flaw, increasing the risk of insider threats or compromised accounts being leveraged for unauthorized changes. For organizations relying heavily on media categorization for content delivery, marketing, or e-commerce, this could result in operational inefficiencies or reputational damage. However, the lack of known exploits and the requirement for authenticated access limit the immediate widespread impact.

To mitigate CVE-2024-1653, organizations should first verify if they use the Categorify plugin and identify the installed version. Since no official patch links were provided at the time of disclosure, administrators should monitor the vendor’s website and WordPress plugin repository for updates addressing this vulnerability. In the interim, restrict subscriber-level user capabilities by hardening role permissions to prevent unauthorized access to media management functions. Employ WordPress security plugins that can enforce granular capability checks or block suspicious AJAX requests targeting categorifyAjaxUpdateFolderPosition. Implement multi-factor authentication (MFA) to reduce the risk of compromised low-privilege accounts. Regularly audit user roles and permissions to ensure only trusted users have subscriber or higher access. Additionally, monitor logs for unusual activity related to media library modifications. If feasible, temporarily disable or replace the Categorify plugin with alternative media management solutions until a secure version is available.