Projectopia Core version 5.1.24 and earlier contain an incorrect privilege assignment flaw that allows a legitimate user to gain elevated capabilities beyond those they should possess. The vulnerability arises from the plugin’s failure to correctly enforce role permissions, leading to a privilege escalation scenario that could let an attacker assume the rights of an administrator or other high‑privilege users. This flaw could therefore be used to modify site configuration, access sensitive information, or compromise the entire WordPress installation.

All WordPress installations that have the Projectopia Core plugin at any version equal to or lower than 5.1.24 are potentially affected. The plugin, often marketed simply as Projectopia or Projectopia Core, is typically used for project management features and is integrated into the WordPress admin dashboard. No specific operating systems or hardware prerequisites are listed, so the issue applies to any environment running a vulnerable plugin version.

The CVSS score of 9.8 ranks this flaw as critical, and although its EPSS score is < 1 % indicating a low overall probability of exploitation, the weakness remains actively exposed in the wild. Attackers with ordinary authenticated access to the vulnerable plugin—such as users with an unprivileged role—can manipulate the permission linting and elevate themselves to an administrator without any additional credentials. Because the vulnerability is not yet listed in the CISA KEV catalog, it is not known to have been exploited in known incidents, but the high severity implies that site operators should act swiftly. The vulnerability can be exploited by sending crafted requests to functions that perform privilege checks, bypassing role restrictions to perform administrative operations.