Description
Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Projectopia plugin contains an Insecure Direct Object Reference that allows an attacker to read or manipulate custom role information without proper authorization, thereby compromising the integrity of role‑based permissions.

Affected Systems

WordPress sites using the Projectopia plugin version 5.1.25.2 or earlier are affected; the vulnerability exists in the Projectopia core component for WordPress.

Risk and Exploitability

The CVSS score of 7.5 highlights a high severity risk. The EPSS score of less than 1% indicates that exploitation is currently rare, and the vulnerability is not present in the CISA KEV catalog. Attacks would require an authenticated user who can supply arbitrary role identifiers, suggesting that the exploitation vector is most likely through legitimate user access lacking proper permission checks.

Generated by OpenCVE AI on June 16, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Projectopia to a released version newer than 5.1.25.2
  • Restrict role‑management capabilities to administrators or appropriately privileged users
  • Implement additional input validation to ensure role identifiers are verified against the user’s permissions before processing

Generated by OpenCVE AI on June 16, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Projectopia
Projectopia projectopia
Wordpress
Wordpress wordpress
Vendors & Products Projectopia
Projectopia projectopia
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.
Title WordPress Projectopia plugin <= 5.1.25.2 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Projectopia Projectopia
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:42:08.374Z

Reserved: 2025-09-09T14:47:17.697Z

Link: CVE-2025-59133

cve-icon Vulnrichment

Updated: 2026-06-16T12:42:03.410Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:37.933

Modified: 2026-06-15T21:24:32.790

Link: CVE-2025-59133

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:00:12Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key