Description
Incorrect Privilege Assignment vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.
Published: 2025-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a privilege assignment flaw in the Rocket Apps wProject WordPress theme that allows a malicious actor with a Subscriber role to perform actions normally reserved for administrators, effectively bypassing the intended access controls and raising the user’s privileges. This weakness falls under CWE-266 – Incorrect Privilege Assignment.

Affected Systems

All installations of the wProject theme for WordPress running a version older than 5.8.0 are affected, meaning any pre-5.8.0 release of the Rocket Apps theme is vulnerable.

Risk and Exploitability

The CVSS score of 8.8 signals high impact, the EPSS score is below 1 percent indicating low exploitation likelihood, and the vulnerability is not listed in CISA’s KEV catalog. A likely attack vector is an authenticated user with Subscriber role acting through the WordPress admin interface; once privilege escalation is achieved, the attacker could modify site settings, publish content, or compromise other user accounts.

Generated by OpenCVE AI on May 1, 2026 at 08:15 UTC.

Remediation

Vendor Solution

Update the WordPress wProject theme to the latest available version (at least 5.8.0).

OpenCVE Recommended Actions

  • Update the wProject theme to version 5.8.0 or later.
  • If the theme cannot be upgraded immediately, disable or remove the wProject theme until a patch is available.
  • Use a role‑management plugin to revoke any admin‑level capabilities assigned to the Subscriber role.

Generated by OpenCVE AI on May 1, 2026 at 08:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15775 Incorrect Privilege Assignment vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Rocket Apps wProject wproject.This issue affects wProject: from n/a through < 5.8.0. Incorrect Privilege Assignment vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0. Incorrect Privilege Assignment vulnerability in Rocket Apps wProject wproject.This issue affects wProject: from n/a through < 5.8.0.
References

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 19:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.
Title WordPress wProject theme < 5.8.0 - Subscriber+ Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.565Z

Reserved: 2025-04-16T06:22:20.495Z

Link: CVE-2025-39366

cve-icon Vulnrichment

Updated: 2025-05-19T21:12:10.249Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T20:15:24.097

Modified: 2026-04-28T19:31:52.290

Link: CVE-2025-39366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses