Overview
CVE-2025-12876 is a medium severity vulnerability affecting the Projectopia – WordPress Project Management plugin for WordPress. This vulnerability allows unauthenticated attackers to delete arbitrary attachments on a WordPress site running a vulnerable version of the plugin. Specifically, versions up to and including 5.1.19 are affected. The root cause is a missing capability check on the pto_delete_file AJAX action.
Technical Details
The vulnerability stems from the pto_delete_file AJAX action within the Projectopia plugin. This action is intended to allow authorized users to delete files associated with projects. However, due to the absence of a proper capability check before executing the file deletion logic, an unauthenticated user can craft a malicious request targeting this AJAX action, specifying the ID of the attachment they wish to delete. The vulnerable code is located within the general_functions.php file.
Example code snippet showing the vulnerable function (from plugins.trac.wordpress.org):
// Vulnerable code snippet (Conceptual)
add_action( 'wp_ajax_pto_delete_file', 'pto_delete_file_callback' );
add_action( 'wp_ajax_nopriv_pto_delete_file', 'pto_delete_file_callback' );
function pto_delete_file_callback() {
$attachment_id = $_POST['attachment_id']; // No capability check here!
wp_delete_attachment( $attachment_id, true );
wp_send_json_success();
}
Note: The code above is a simplified representation of the actual vulnerable code for demonstration purposes.
CVSS Analysis
- Severity: MEDIUM
- CVSS Score: 5.3
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Explanation: This score reflects the fact that an unauthenticated attacker can remotely delete files without any user interaction. While the confidentiality and availability impact are none, the integrity impact is low because attackers can modify the state of the website by deleting files.
Possible Impact
Successful exploitation of this vulnerability can lead to:
- Data Loss: Important files and attachments related to projects can be deleted, potentially disrupting workflows and causing data loss.
- Website Defacement: While not a direct defacement, deleting essential files can cause the website to malfunction or display errors, effectively defacing it.
- Business Disruption: Loss of project-related files can significantly disrupt business operations and project timelines.
Mitigation or Patch Steps
The most effective mitigation is to update the Projectopia plugin to the latest version, which should contain a fix for this vulnerability. If an update is not yet available, consider temporarily disabling the plugin until a patched version is released.
Specifically, a capability check needs to be added to the pto_delete_file_callback function to ensure only authorized users (e.g., administrators or project managers with appropriate permissions) can delete files. This can be achieved using WordPress’s built-in current_user_can() function.
Example of how the fix could look (Conceptual):
// Fixed code snippet (Conceptual)
add_action( 'wp_ajax_pto_delete_file', 'pto_delete_file_callback' );
add_action( 'wp_ajax_nopriv_pto_delete_file', 'pto_delete_file_callback' );
function pto_delete_file_callback() {
if ( ! current_user_can( 'manage_options' ) ) { // Example capability check - adjust as needed
wp_send_json_error( 'Unauthorized' );
wp_die();
}
$attachment_id = $_POST['attachment_id'];
wp_delete_attachment( $attachment_id, true );
wp_send_json_success();
}
Note: The fix implemented will depend on the plugin developer, the code above is a conceptual illustration only.
