Description
Missing Authorization vulnerability in Projectopia Projectopia projectopia-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Projectopia: from n/a through <= 5.1.17.
Published: 2025-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Projectopia projectopia-core contains a missing authorization flaw that allows users to gain unauthorized access to protected resources. The vulnerability stems from incorrect handling of access control security levels, creating a potential for an attacker to elevate privileges or manipulate content. This flaw is identified as CWE-862, which indicates a missing or inadequate authorization control.

Affected Systems

WordPress sites running the Projectopia plugin version 5.1.17 or earlier are susceptible. The vulnerability impact covers the entire plugin functionality, affecting users who can upload or edit content depending on the site configuration.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity risk. The EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The vulnerability is not currently listed in CISA's KEV catalog, implying it has not been observed in the wild. Attackers are likely to exploit this vulnerability by identifying sites with Projectopia 5.1.17 or older and then attempting to access protected actions that should be restricted.

Generated by OpenCVE AI on April 30, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Projectopia plugin to a version newer than 5.1.17 once it becomes available
  • Verify that the site’s role and permission settings enforce least‑privilege and that no content creation rights are granted to untrusted users
  • Review and harden the plugin’s access control configuration settings to ensure that security levels are properly applied
  • Consider implementing additional web‑application firewall rules to block unauthorized requests to Projectopia endpoints

Generated by OpenCVE AI on April 30, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28176 Missing Authorization vulnerability in Projectopia Projectopia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Projectopia: from n/a through 5.1.17.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Projectopia Projectopia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Projectopia: from n/a through 5.1.17. Missing Authorization vulnerability in Projectopia Projectopia projectopia-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Projectopia: from n/a through <= 5.1.17.
Title WordPress Projectopia <= 5.1.17 - Broken Access Control Vulnerability WordPress Projectopia plugin <= 5.1.17 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Projectopia Projectopia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Projectopia: from n/a through 5.1.17.
Title WordPress Projectopia <= 5.1.17 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Projectopia Projectopia
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:54.328Z

Reserved: 2025-05-19T14:13:09.842Z

Link: CVE-2025-48257

cve-icon Vulnrichment

Updated: 2025-05-19T15:08:58.326Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T15:15:28.740

Modified: 2026-04-23T15:30:58.813

Link: CVE-2025-48257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:00:14Z

Weaknesses