Missing Authorization vulnerability in GS Plugins GS Portfolio for Envato allows an attacker to bypass configured access control and view or modify plugin data that should be restricted. The flaw stems from incorrect handling of security levels within the plugin and can potentially expose sensitive portfolio information and compromise site integrity. The impact is the unauthorized availability of data and configuration control to users who are not permitted to access it. The weakness is identified as CWE‑862.

GS Plugins’ GS Portfolio for Envato for WordPress is affected. All WordPress sites running any version of the plugin from its earliest release up to and including 1.4.2 are vulnerable. The problem exists regardless of the WordPress core version because it resides entirely within the plugin code.

The CVSS base score of 5.3 indicates a medium severity issue. The EPSS score of <1% shows a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user with elevated privileges exploiting the plugin’s administrative interface, or potentially a remote attacker who can trigger the plugin’s endpoints via crafted requests. An attacker would need to be able to reach the WordPress site and have some form of login credential that the plugin accepts. Because the vulnerability relies on incorrect configuration of access levels, the exact exploitability depends on the site’s role and capability setup. However, once an unauthorized user obtains access, they can retrieve or manipulate portfolio data, leading to data leakage or site compromise.