CVE-2025-12876
BaseFortify
Publication date: 2025-12-05
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | projectopia | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Projectopia WordPress Project Management plugin up to version 5.1.19. It is caused by a missing capability check on the pto_delete_file AJAX action, which allows unauthenticated attackers to delete arbitrary attachments without proper authorization.
How can this vulnerability impact me? :
The vulnerability allows unauthenticated attackers to delete arbitrary attachments, which can lead to loss of important files or data within the WordPress site using the Projectopia plugin. This could disrupt project management activities and result in data integrity issues.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for unauthorized AJAX requests to the 'pto_delete_file' action, especially from unauthenticated users. Since the vulnerability allows unauthenticated deletion of attachments, checking web server logs for POST requests to admin-ajax.php with the parameter 'action=pto_delete_file' originating from unknown or suspicious IP addresses may help. Additionally, inspecting WordPress file attachment records for unexpected deletions could indicate exploitation. Specific commands depend on your environment, but for example, using grep on web server logs: `grep 'action=pto_delete_file' /var/log/apache2/access.log` or equivalent. There are no explicit detection commands provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Projectopia plugin to a version later than 5.1.19 where the missing capability check on the 'pto_delete_file' AJAX action is fixed. If an update is not immediately possible, restricting access to admin-ajax.php or implementing firewall rules to block unauthenticated requests to the 'pto_delete_file' action can help. Additionally, monitoring and auditing file deletions and applying WordPress security best practices such as limiting plugin access and using security plugins to detect suspicious activity are recommended. [1]