Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network IDOR with no user interaction yields AV:N/AC:L/PR:N/UI:N; impact is read-only disclosure of role data, so C:H and I:N/A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.
AnalysisAI
Information disclosure in the Projectopia WordPress plugin (versions <= 5.1.25.2) allows remote unauthenticated attackers to access custom role data belonging to other users via Insecure Direct Object Reference flaws. The CVSS 7.5 score reflects high confidentiality impact with no integrity or availability consequences, and no public exploit identified at time of analysis.
Technical ContextAI
Projectopia is a WordPress project management plugin (CPE: cpe:2.3:a:projectopia:projectopia:*) that exposes endpoints handling custom role objects keyed by direct identifiers. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), where the application accepts a user-supplied object reference (such as a role ID) without verifying that the requester is authorized to access that specific resource. This pattern is endemic to WordPress plugins that build REST or AJAX handlers without re-checking capability and ownership for the specific object being requested.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory does not name a fixed release in the supplied intelligence, so administrators should monitor https://patchstack.com/database/wordpress/plugin/projectopia-core/vulnerability/wordpress-projectopia-plugin-5-1-19-insecure-direct-object-references-idor-vulnerability and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-59133 for an updated Projectopia release above 5.1.25.2. As compensating controls, deactivate the Projectopia plugin if custom roles are not actively used (eliminates exposure but removes project-management features), restrict access to wp-admin/admin-ajax.php and the plugin's REST routes to authenticated office IPs via a WAF or web server ACL (may break legitimate front-end client portals), and enroll the site in a virtual-patching WAF such as Patchstack or Wordfence which typically ships an IDOR rule shortly after disclosure (adds latency and a third-party dependency).
More in Projectopia
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210157
GHSA-q2pm-9565-7wm6