CVE-2024-13231 is a vulnerability identified in the WordPress Portfolio Builder – Portfolio Gallery plugin, specifically affecting all versions up to and including 1.1.7. The root cause is a missing capability check in the 'add_video' function, which is responsible for adding video content to portfolio galleries. Due to the absence of proper authorization verification, unauthenticated attackers can remotely invoke this function to add arbitrary videos to any portfolio gallery on a vulnerable WordPress site. This constitutes a CWE-862 (Missing Authorization) weakness, where the system fails to enforce access control policies before allowing sensitive operations. The vulnerability does not require any privileges or user interaction, making it easier to exploit. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the fact that while the impact is limited to integrity (unauthorized modification of gallery content), it does not compromise confidentiality or availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. However, the vulnerability could be leveraged to inject malicious or inappropriate video content, potentially damaging the reputation of affected websites or misleading visitors.

The primary impact of CVE-2024-13231 is unauthorized modification of portfolio gallery content on WordPress sites using the vulnerable plugin. Attackers can add arbitrary videos without authentication, which could be used to inject malicious content, phishing videos, or inappropriate media, potentially harming the website's reputation and user trust. Although this vulnerability does not directly expose sensitive data or disrupt service availability, the integrity compromise can facilitate social engineering attacks or brand damage. For organizations relying on portfolio galleries for marketing, client engagement, or showcasing work, this could lead to loss of credibility and customer confidence. Additionally, if attackers embed malicious videos that exploit client-side vulnerabilities, it could lead to further compromise of site visitors. The ease of exploitation and lack of authentication requirements increase the risk of widespread abuse, especially on high-traffic sites.

To mitigate CVE-2024-13231, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, administrators should consider disabling or uninstalling the Portfolio Builder – Portfolio Gallery plugin to eliminate the attack surface. As a temporary workaround, restricting access to the plugin's video addition functionality via web application firewall (WAF) rules or server-level access controls can help prevent unauthorized requests. Monitoring website content for unexpected video additions and implementing alerting mechanisms can aid in early detection of exploitation attempts. Additionally, reviewing and tightening WordPress user roles and permissions to minimize unnecessary privileges can reduce risk. Website owners should also ensure their overall WordPress installation and plugins are regularly updated and follow security best practices to limit exposure.