CVE-2024-1906 identifies a CSRF vulnerability in the frenify Categorify plugin for WordPress Media Library Category & File Manager. The issue arises from inadequate nonce validation in the categorifyAjaxAddCategory function, enabling attackers to forge requests that add categories without proper authorization. This affects all versions up to and including 1.0.7.4. The vulnerability requires user interaction (UI:R) and does not impact confidentiality or availability but can lead to unauthorized category additions (integrity impact).

An attacker can cause an authenticated site administrator to unknowingly add categories to the media library by tricking them into clicking a crafted link. This could lead to unauthorized modifications of the media library's category structure, potentially affecting site organization or content management integrity. There is no direct impact on confidentiality or availability reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should be cautious about clicking untrusted links while logged into WordPress with administrative privileges. Monitoring for plugin updates from frenify is recommended to apply any forthcoming patches addressing this CSRF vulnerability.