CVE-2024-13698 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Jobify - Job Board WordPress Theme developed by Astoundify. The flaw exists in all versions up to and including 4.2.7 due to the absence of proper capability checks on two specific functions: 'download_image_via_ai' and 'generate_image_via_ai'. These functions are designed to interact with AI image generation services, leveraging the site's OpenAI API key. Because authorization checks are missing, unauthenticated attackers can invoke these functions remotely without any credentials or user interaction. This allows attackers to make arbitrary HTTP requests originating from the vulnerable web application, effectively enabling server-side request forgery (SSRF) capabilities. Additionally, attackers can upload files in image formats and generate AI images using the legitimate OpenAI key configured on the site, potentially leading to abuse of API quotas or unauthorized content creation. The vulnerability impacts confidentiality and integrity by allowing unauthorized data modification and potential leakage of internal resources via SSRF. The CVSS v3.1 base score is 6.5 (medium), reflecting network attack vector, low attack complexity, no privileges required, and no user interaction needed. There are no patches or known exploits publicly available at the time of publication, but the risk remains significant given the ease of exploitation and the sensitive nature of API keys involved.

The vulnerability allows unauthenticated attackers to perform unauthorized actions on affected WordPress sites using the Jobify theme, including uploading image files and generating AI images via the site's OpenAI API key. This can lead to unauthorized modification of site data and potential abuse of the OpenAI service, resulting in financial costs or service disruptions. The SSRF capability may also allow attackers to probe internal networks or access otherwise restricted resources, increasing the risk of further compromise. Organizations relying on this theme for job board functionality may face reputational damage, data integrity issues, and increased operational costs. Since exploitation requires no authentication or user interaction, the attack surface is broad, and automated exploitation attempts could be widespread once public exploit code emerges.

1. Immediately update the Jobify theme to a version that includes proper authorization checks once a patch is released by Astoundify. 2. Until an official patch is available, disable or restrict access to the 'download_image_via_ai' and 'generate_image_via_ai' endpoints via web application firewall (WAF) rules or server configuration to block unauthenticated requests. 3. Limit outbound HTTP requests from the web server to trusted destinations only, reducing SSRF impact. 4. Rotate the OpenAI API key used by the site to prevent abuse if compromise is suspected. 5. Monitor web server logs for unusual access patterns to the vulnerable functions or unexpected outbound requests. 6. Implement strict capability checks and authentication for any AI image generation features in custom code or plugins. 7. Educate site administrators on the risks of unauthorized API key exposure and enforce least privilege principles for API keys and theme/plugin management.