CVE-2024-3268 identifies a missing authorization vulnerability (CWE-862) in the YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress, specifically in the emd_form_builder_lite_submit_form function. This function lacks proper capability checks, allowing unauthenticated attackers to submit forms that create arbitrary posts or pages on affected WordPress sites. The vulnerability affects all plugin versions up to and including 3.3.6. Since the flaw requires no authentication or user interaction and can be exploited remotely, it poses a risk of unauthorized content injection, which could be leveraged for defacement, phishing, or SEO spam campaigns. The CVSS 3.1 base score is 5.3, reflecting medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability impacts data integrity but does not affect confidentiality or availability. No public exploits or patches are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is used on WordPress sites that embed YouTube video galleries, commonly found on business, media, and e-commerce websites.

The primary impact of CVE-2024-3268 is unauthorized modification of website content through the creation of arbitrary posts or pages. This can lead to website defacement, insertion of malicious or misleading content, phishing pages, or SEO spam, damaging the organization's reputation and potentially leading to user trust erosion. Although the vulnerability does not directly expose sensitive data or disrupt service availability, the integrity compromise can facilitate further attacks such as social engineering or malware distribution. Organizations relying on this plugin for video gallery functionality may face increased risk of website misuse and potential blacklisting by search engines or security services. The ease of exploitation and lack of authentication requirements increase the likelihood of automated attacks targeting vulnerable WordPress sites globally.

Organizations should immediately verify if their WordPress installations use the YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin and identify the plugin version. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. If disabling is not feasible, restrict access to the vulnerable endpoint (emd_form_builder_lite_submit_form) using web application firewalls (WAFs) or server-level access controls to block unauthenticated requests. Monitoring web server logs for unusual POST requests to the plugin’s form submission endpoint can help detect exploitation attempts. Implement strict content moderation and review processes for newly created posts or pages to identify unauthorized content promptly. Stay informed on vendor updates and apply patches as soon as they become available. Additionally, enforce least privilege principles for WordPress user roles and regularly audit installed plugins for security.