CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete arbitrary attachments.
Explanation of Vulnerability in Simple Terms
Projectopia versions up to 5.1.19 lack proper authorization checks, allowing unauthenticated attackers to modify data through network requests. The vulnerability does not expose sensitive information or disrupt availability, but attackers can alter records without authentication. Update to a version newer than 5.1.19 to resolve this issue.
What an attacker can do
Modify data in Projectopia without logging in.
Potential impact on your site
Unauthorized changes to project data, records, or settings without any user action needed.
Conditions required to exploit
Network access to the Projectopia instance; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
