Description
The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete arbitrary attachments.
Published: 2025-12-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated deletion of arbitrary attachments
Action: Apply Patch
AI Analysis

Impact

The Projectopia – Project Management plugin contains a missing capability check on the pto_delete_file AJAX action in all versions up to and including 5.1.19, allowing attackers to delete any attachment associated with a project without authentication. This can lead to loss of critical project documentation and media, effectively compromising the integrity and availability of project data for sites that rely on the plugin.

Affected Systems

Any WordPress installation that uses the Projectopia – Project Management Tool with a version of 5.1.19 or earlier is vulnerable. The vulnerability affects all users of the plugin regardless of their role because the capability check is absent entirely.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3 and an EPSS score of less than 1%, indicating a moderate severity but low likelihood of exploitation in the wild. It is not listed in CISA KEV, and the attack vector is inferred to be an unauthenticated remote request to the AJAX endpoint, which could be exploited by anyone able to send HTTP requests to the site.

Generated by OpenCVE AI on April 21, 2026 at 17:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Projectopia plugin to version 5.1.20 or later.
  • If an immediate update is not possible, temporarily restrict or block the pto_delete_file AJAX endpoint for unauthenticated users using .htaccess or a security plugin that enforces authentication on that action.
  • Monitor the site’s audit logs for unexpected attachment deletion activity and investigate any suspicious requests.

Generated by OpenCVE AI on April 21, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 05 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Projectopia
Projectopia projectopia
Wordpress
Wordpress wordpress
Vendors & Products Projectopia
Projectopia projectopia
Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete arbitrary attachments.
Title Projectopia – WordPress Project Management <= 5.1.19 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Projectopia Projectopia
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:48.324Z

Reserved: 2025-11-07T15:34:35.396Z

Link: CVE-2025-12876

cve-icon Vulnrichment

Updated: 2025-12-05T12:48:31.471Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T10:15:46.370

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:45:16Z

Weaknesses