Skip to main content

Projectopia CVE-2025-59133

| EUVDEUVD-2025-210157 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-15 Patchstack GHSA-q2pm-9565-7wm6
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network IDOR with no user interaction yields AV:N/AC:L/PR:N/UI:N; impact is read-only disclosure of role data, so C:H and I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:42 vuln.today

DescriptionCVE.org

Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.

AnalysisAI

Information disclosure in the Projectopia WordPress plugin (versions <= 5.1.25.2) allows remote unauthenticated attackers to access custom role data belonging to other users via Insecure Direct Object Reference flaws. The CVSS 7.5 score reflects high confidentiality impact with no integrity or availability consequences, and no public exploit identified at time of analysis.

Technical ContextAI

Projectopia is a WordPress project management plugin (CPE: cpe:2.3:a:projectopia:projectopia:*) that exposes endpoints handling custom role objects keyed by direct identifiers. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), where the application accepts a user-supplied object reference (such as a role ID) without verifying that the requester is authorized to access that specific resource. This pattern is endemic to WordPress plugins that build REST or AJAX handlers without re-checking capability and ownership for the specific object being requested.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory does not name a fixed release in the supplied intelligence, so administrators should monitor https://patchstack.com/database/wordpress/plugin/projectopia-core/vulnerability/wordpress-projectopia-plugin-5-1-19-insecure-direct-object-references-idor-vulnerability and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-59133 for an updated Projectopia release above 5.1.25.2. As compensating controls, deactivate the Projectopia plugin if custom roles are not actively used (eliminates exposure but removes project-management features), restrict access to wp-admin/admin-ajax.php and the plugin's REST routes to authenticated office IPs via a WAF or web server ACL (may break legitimate front-end client portals), and enroll the site in a virtual-patching WAF such as Patchstack or Wordfence which typically ships an IDOR rule shortly after disclosure (adds latency and a third-party dependency).

Share

CVE-2025-59133 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy