Impact
The Projectopia plugin contains an Insecure Direct Object Reference that allows an attacker to read or manipulate custom role information without proper authorization, thereby compromising the integrity of role‑based permissions.
Affected Systems
WordPress sites using the Projectopia plugin version 5.1.25.2 or earlier are affected; the vulnerability exists in the Projectopia core component for WordPress.
Risk and Exploitability
Based on the description, it is inferred that attacks would require an authenticated user with insufficient role‑management permissions who supplies arbitrary role identifiers. The likely attack vector is an authenticated user performing unauthorized role queries or manipulations through the plugin, leveraging the IDOR flaw. The CVSS score of 7.5 highlights a high severity risk. The EPSS score of less than 1% indicates that exploitation is currently rare, and the vulnerability is not present in the CISA KEV catalog.
OpenCVE Enrichment