CVE-2025-39366 HIGH

CVE-2025-39366: WordPress wProject theme < 5.8.0 - Subscriber+ Privilege Escalation vulnerability

Vendor Rocket Apps
Product wProject
Weakness CWE-266
Published May 19, 2025
Last update April 28, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Incorrect Privilege Assignment vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.

Explanation of Vulnerability in Simple Terms

02Summary

wProject versions before 5.8.0 contain an insufficient privilege validation flaw that allows authenticated users with low-level access to read, modify, or delete sensitive data and disrupt site operations. The vulnerability requires a valid user account but no special interaction. Administrators should update to version 5.8.0 or later immediately.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive data; disrupt site availability.

Potential impact on your site

04Site Impact

Any logged-in user can access or alter critical data and cause service disruption.

Conditions required to exploit

05Prerequisites

Valid user account with low-level privileges; network access to the site.

Key dates

06Disclosure timeline

May 19, 2025 CVE published
April 28, 2026 Record updated