Vulnerabilites related to Projectopia - Projectopia
Vulnerability from fkie_nvd
Published
2025-05-01 05:15
Modified
2025-05-19 11:54
Severity ?
Summary
The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'pto_remove_logo' function in all versions up to, and including, 5.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| projectopia | projectopia | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:projectopia:projectopia:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "27C14F7C-656F-45AB-AB00-8D2E2B96AFE8",
"versionEndExcluding": "5.1.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Projectopia \u2013 WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the \u0027pto_remove_logo\u0027 function in all versions up to, and including, 5.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users."
},
{
"lang": "es",
"value": "El complemento Projectopia \u2013 WordPress Project Management de WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos, lo que puede provocar una denegaci\u00f3n de servicio debido a la falta de comprobaci\u00f3n de la funci\u00f3n \u00abpto_remove_logo\u00bb en todas las versiones hasta la 5.1.16 incluida. Esto permite a atacantes autenticados, con acceso de suscriptor o superior, eliminar valores de opciones arbitrarios en el sitio de WordPress. Esto puede aprovecharse para eliminar una opci\u00f3n que generar\u00eda un error en el sitio y denegar\u00eda el servicio a usuarios leg\u00edtimos."
}
],
"id": "CVE-2025-3952",
"lastModified": "2025-05-19T11:54:42.067",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2025-05-01T05:15:52.020",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/projectopia-core/trunk/includes/functions/admin/admin_functions.php#L838"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3284330/"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de7489e8-fe18-4a80-832c-aa62424c538b?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
CVE-2025-48257 (GCVE-0-2025-48257)
Vulnerability from cvelistv5
Published
2025-05-19 14:45
Modified
2025-05-19 15:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in Projectopia Projectopia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Projectopia: from n/a through 5.1.17.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Projectopia | Projectopia |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T15:08:59.511460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T15:18:30.631Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "projectopia-core",
"product": "Projectopia",
"vendor": "Projectopia",
"versions": [
{
"changes": [
{
"at": "5.1.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.17",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "0xd4rk5id3 (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in Projectopia Projectopia allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Projectopia: from n/a through 5.1.17.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Projectopia Projectopia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Projectopia: from n/a through 5.1.17."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T14:45:00.326Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/projectopia-core/vulnerability/wordpress-projectopia-5-1-17-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Projectopia plugin to the latest available version (at least 5.1.18)."
}
],
"value": "Update the WordPress Projectopia plugin to the latest available version (at least 5.1.18)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Projectopia \u003c= 5.1.17 - Broken Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-48257",
"datePublished": "2025-05-19T14:45:00.326Z",
"dateReserved": "2025-05-19T14:13:09.842Z",
"dateUpdated": "2025-05-19T15:18:30.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54336 (GCVE-0-2024-54336)
Vulnerability from cvelistv5
Published
2024-12-13 14:25
Modified
2024-12-13 16:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Projectopia Projectopia allows Authentication Bypass.This issue affects Projectopia: from n/a through 5.1.7.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Projectopia | Projectopia |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54336",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T16:11:44.115512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T16:11:54.634Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "projectopia-core",
"product": "Projectopia",
"vendor": "Projectopia",
"versions": [
{
"changes": [
{
"at": "5.1.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.7",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Muhamad Agil Fachrian (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthentication Bypass Using an Alternate Path or Channel vulnerability in Projectopia Projectopia allows Authentication Bypass.\u003c/p\u003e\u003cp\u003eThis issue affects Projectopia: from n/a through 5.1.7.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Projectopia Projectopia allows Authentication Bypass.This issue affects Projectopia: from n/a through 5.1.7."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T14:25:36.750Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/projectopia-core/vulnerability/wordpress-projectopia-plugin-5-1-7-account-takeover-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Projectopia plugin to the latest available version (at least 5.1.8)."
}
],
"value": "Update the WordPress Projectopia plugin to the latest available version (at least 5.1.8)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Projectopia plugin \u003c= 5.1.7 - Account Takeover vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-54336",
"datePublished": "2024-12-13T14:25:36.750Z",
"dateReserved": "2024-12-02T12:05:09.387Z",
"dateUpdated": "2024-12-13T16:11:54.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32648 (GCVE-0-2025-32648)
Vulnerability from cvelistv5
Published
2025-04-17 15:47
Modified
2025-04-17 18:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-266 - Incorrect Privilege Assignment
Summary
Incorrect Privilege Assignment vulnerability in Projectopia Projectopia allows Privilege Escalation. This issue affects Projectopia: from n/a through 5.1.16.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Projectopia | Projectopia |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32648",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T17:42:37.243247Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T18:34:33.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "projectopia-core",
"product": "Projectopia",
"vendor": "Projectopia",
"versions": [
{
"lessThanOrEqual": "5.1.16",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "astra.r3verii (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Privilege Assignment vulnerability in Projectopia Projectopia allows Privilege Escalation.\u003c/p\u003e\u003cp\u003eThis issue affects Projectopia: from n/a through 5.1.16.\u003c/p\u003e"
}
],
"value": "Incorrect Privilege Assignment vulnerability in Projectopia Projectopia allows Privilege Escalation. This issue affects Projectopia: from n/a through 5.1.16."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T15:47:06.473Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/projectopia-core/vulnerability/wordpress-projectopia-project-magement-plugin-5-1-15-privilege-escalation-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Projectopia - Project Magement Plugin \u003c= 5.1.16 - Privilege Escalation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32648",
"datePublished": "2025-04-17T15:47:06.473Z",
"dateReserved": "2025-04-09T11:21:04.030Z",
"dateUpdated": "2025-04-17T18:34:33.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3952 (GCVE-0-2025-3952)
Vulnerability from cvelistv5
Published
2025-05-01 04:22
Modified
2025-05-01 13:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'pto_remove_logo' function in all versions up to, and including, 5.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| projectopia | Projectopia – WordPress Project Management |
Version: * ≤ 5.1.16 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T13:10:03.259127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T13:10:12.167Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Projectopia \u2013 WordPress Project Management",
"vendor": "projectopia",
"versions": [
{
"lessThanOrEqual": "5.1.16",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Cheng Liu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Projectopia \u2013 WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the \u0027pto_remove_logo\u0027 function in all versions up to, and including, 5.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T04:22:57.655Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de7489e8-fe18-4a80-832c-aa62424c538b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/projectopia-core/trunk/includes/functions/admin/admin_functions.php#L838"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3284330/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-30T15:45:10.000+00:00",
"value": "Disclosed"
}
],
"title": "Projectopia \u0026#8211; WordPress Project Management \u003c= 5.1.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3952",
"datePublished": "2025-05-01T04:22:57.655Z",
"dateReserved": "2025-04-25T22:06:55.889Z",
"dateUpdated": "2025-05-01T13:10:12.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}