Description
Missing Authorization vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.
Published: 2025-05-19
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check in the Rocket Apps wProject WordPress theme, allowing any visitor to modify or delete content such as posts, comments, or attachments without authentication. This can lead to defacement, data loss, or manipulation of site content, potentially undermining the site’s integrity and reliability.

Affected Systems

All installations of the Rocket Apps wProject theme that are running versions earlier than 5.8.0 are affected. The vulnerability applies to all WordPress sites that have the theme active and have not applied the fix released in version 5.8.0 or later.

Risk and Exploitability

The CVSS score of 8.2 classifies the weakness as high severity, and the EPSS score of less than 1% indicates a low but nonzero probability of exploitation. The attack requires the presence of the theme on a WordPress site and does not rely on any user authentication; an unauthenticated user can trigger the vulnerable functionality, typically through the theme’s exposed endpoints or REST API. The vulnerability is not currently listed in CISA’s KEV catalog, meaning no widespread, known exploitation is documented at this time.

Generated by OpenCVE AI on May 2, 2026 at 01:31 UTC.

Remediation

Vendor Solution

Update the WordPress wProject theme to the latest available version (at least 5.8.0).

OpenCVE Recommended Actions

  • Update the wProject theme to version 5.8.0 or later
  • Modify the theme to enforce a capability check so that only users with the appropriate permissions can delete or edit posts, comments, or attachments. If a custom plugin is not available, temporarily disable those features until the patch is applied.
  • Use a security firewall or WordPress security plugin to block unauthenticated requests to the wProject theme’s REST API endpoints, ensuring that only authenticated users can interact with those services.

Generated by OpenCVE AI on May 2, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15783 Missing Authorization vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Rocket Apps wProject wproject.This issue affects wProject: from n/a through < 5.8.0. Missing Authorization vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0. Missing Authorization vulnerability in Rocket Apps wProject wproject.This issue affects wProject: from n/a through < 5.8.0.
References

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 20:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.
Title WordPress wProject theme < 5.8.0 - Unauthenticated Post/Comment/Attachment Modification/Deletion vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.328Z

Reserved: 2025-04-16T06:22:10.074Z

Link: CVE-2025-39350

cve-icon Vulnrichment

Updated: 2025-05-19T21:11:20.239Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T20:15:23.043

Modified: 2026-04-28T19:31:51.307

Link: CVE-2025-39350

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:45:26Z

Weaknesses