CVE-2025-39350: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability has been identified in Rocket Apps wProject affecting versions before 5.8.0. The vulnerability was discovered by Dave Jong from Patchstack and was disclosed on May 19, 2025, with CVE identifier CVE-2025-39350 (Patchstack Database).

The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H. The vulnerability is classified under CWE-862 (Missing Authorization) and requires no user interaction or privileges for exploitation. The attack vector is network-accessible (NVD).

The vulnerability allows unauthenticated attackers to perform unauthorized actions including post, comment, and attachment modification or deletion. This can lead to significant availability impact (High) and limited integrity impact (Low) on affected systems (Patchstack Database).

Users are advised to update to wProject version 5.8.0 or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack Database).