Description
The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'pto_remove_logo' function in all versions up to, and including, 5.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
Published: 2025-05-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via privileged option deletion
Action: Patch Immediately
AI Analysis

Impact

The Projectopia plugin for WordPress contains a missing capability check in the pto_remove_logo function. Authenticated users with the Subscriber role or higher can delete any WordPress option value. Removing a critical option can trigger a site error that disrupts the entire site, denying service to legitimate users. The weakness corresponds to CWE‑862, missing authorization.

Affected Systems

All releases of the Projectopia – Project Management Tool plugin for WordPress up to and including version 5.1.16 are affected. Any WordPress installation that has this plugin installed and has users with Subscriber or higher privileges is vulnerable until the plugin is updated beyond 5.1.16.

Risk and Exploitability

The CVSS score of 8.1 indicates a high impact on availability, and the EPSS score of less than 1% suggests a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalogue. The likely attack vector is authenticated, as authenticated requests to the admin interface or any authenticated call to the pto_remove_logo action can trigger the flaw. Attackers require only basic access rights; no further privileges are granted.

Generated by OpenCVE AI on April 21, 2026 at 21:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Projectopia plugin to version 5.1.17 or later
  • If an immediate update is not possible, modify the plugin’s admin_functions.php file for pto_remove_logo to add a capability check such as current_user_can('manage_options') so that only administrators can call the function
  • Reassess the capabilities assigned to Subscriber level users or use a role‑management plugin to remove the ability for those users to delete options

Generated by OpenCVE AI on April 21, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15020 The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'pto_remove_logo' function in all versions up to, and including, 5.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
History

Mon, 19 May 2025 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Projectopia
Projectopia projectopia
CPEs cpe:2.3:a:projectopia:projectopia:*:*:*:*:*:wordpress:*:*
Vendors & Products Projectopia
Projectopia projectopia

Thu, 01 May 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 01 May 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'pto_remove_logo' function in all versions up to, and including, 5.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
Title Projectopia &#8211; WordPress Project Management <= 5.1.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Projectopia Projectopia
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:18.803Z

Reserved: 2025-04-25T22:06:55.889Z

Link: CVE-2025-3952

cve-icon Vulnrichment

Updated: 2025-05-01T13:10:08.020Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-01T05:15:52.020

Modified: 2025-05-19T11:54:42.067

Link: CVE-2025-3952

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses