{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12876", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-07T15:34:35.396Z", "datePublished": "2025-12-05T09:27:02.882Z", "dateUpdated": "2026-04-08T17:09:48.324Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:48.324Z"}, "affected": [{"vendor": "projectopia", "product": "Projectopia \u2013 Project Management Tool", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.19", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Projectopia \u2013 WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete arbitrary attachments."}], "title": "Projectopia \u2013 WordPress Project Management <= 5.1.19 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/940c6a27-05a2-4eca-89ee-b483f88b9524?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/projectopia-core/trunk/includes/functions/general/general_functions.php#L389"}, {"url": "https://plugins.trac.wordpress.org/changeset/3417635/projectopia-core/trunk/includes/functions/general/general_functions.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-04T20:37:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T12:48:22.781630Z", "id": "CVE-2025-12876", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T12:48:35.149Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12876", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T12:48:22.781630Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T12:48:31.471Z"}}], "cna": {"title": "Projectopia \u2013 WordPress Project Management <= 5.1.19 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "projectopia", "product": "Projectopia \u2013 WordPress Project Management", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.1.19"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T20:37:48.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/940c6a27-05a2-4eca-89ee-b483f88b9524?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/projectopia-core/trunk/includes/functions/general/general_functions.php#L389"}], "descriptions": [{"lang": "en", "value": "The Projectopia \u2013 WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete arbitrary attachments."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-05T09:27:02.882Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12876", "state": "PUBLISHED", "dateUpdated": "2025-12-05T12:48:35.149Z", "dateReserved": "2025-11-07T15:34:35.396Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T09:27:02.882Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Projectopia \u2013 WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete arbitrary attachments."}], "id": "CVE-2025-12876", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T10:15:46.370", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/projectopia-core/trunk/includes/functions/general/general_functions.php#L389"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3417635/projectopia-core/trunk/includes/functions/general/general_functions.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/940c6a27-05a2-4eca-89ee-b483f88b9524?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:42:56.744009+00:00", "value": {"mitigation_remediation": ["Update the Projectopia plugin to version 5.1.20 or later.", "If an immediate update is not possible, temporarily restrict or block the pto_delete_file AJAX endpoint for unauthenticated users using .htaccess or a security plugin that enforces authentication on that action.", "Monitor the site\u2019s audit logs for unexpected attachment deletion activity and investigate any suspicious requests."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated deletion of arbitrary attachments"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that uses the Projectopia \u2013 Project Management Tool with a version of 5.1.19 or earlier is vulnerable. The vulnerability affects all users of the plugin regardless of their role because the capability check is absent entirely.", "description_and_impact": "The Projectopia \u2013 Project Management plugin contains a missing capability check on the pto_delete_file AJAX action in all versions up to and including 5.1.19, allowing attackers to delete any attachment associated with a project without authentication. This can lead to loss of critical project documentation and media, effectively compromising the integrity and availability of project data for sites that rely on the plugin.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3 and an EPSS score of less than 1%, indicating a moderate severity but low likelihood of exploitation in the wild. It is not listed in CISA KEV, and the attack vector is inferred to be an unauthenticated remote request to the AJAX endpoint, which could be exploited by anyone able to send HTTP requests to the site."}}}}, "created": "2025-12-05T20:56:28.848332+00:00", "updated": "2026-04-21T17:45:16.490742+00:00", "vendors": ["projectopia", "projectopia$PRODUCT$projectopia", "wordpress", "wordpress$PRODUCT$wordpress"]}