Projectopia &#8211; WordPress Project Management <= 5.1.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Deletion

Vulnerability

The Projectopia – WordPress Project Management plugin for WordPress (all versions up to and including 5.1.16) is vulnerable to unauthorized data modification in the pto_remove_logo function due to a missing capability check [1]. The function is reachable by any authenticated user, regardless of privilege level. The plugin is available on the WordPress plugin repository as projectopia-core.

Exploitation

An authenticated attacker with at least Subscriber-level access can trigger the pto_remove_logo function via a crafted AJAX request. The function lacks a permission check, allowing the attacker to delete arbitrary option values from the WordPress options table [1]. No additional administrative or elevated privileges are required; the only prerequisite is a valid user account with Subscriber access or higher.

Impact

Successful exploitation enables the attacker to delete any WordPress option, including critical options such as siteurl or template. Deleting certain options causes the site to enter an error state, effectively denying legitimate users access to the site [1]. The impact is a complete denial of service (DoS) for the WordPress installation.

Mitigation

The vendor has released version 5.1.25.2 (last updated 2026-05-07) which presumably addresses the vulnerability [1]. Users should update to the latest version immediately. If an update is not possible, site administrators should disable the plugin until a patch can be applied. No workaround is documented in the available references.