Unauthorized Data Modification in UiPress Lite Plugin for WordPress
CVE-2025-1309

8.8HIGH

Key Information:

Vendor: WordPress
Status: Uipress Lite | Effortless Custom Dashboards, Admin Themes And Pages
Vendor: CVE Published:; 7 March 2025

What is CVE-2025-1309?

The UiPress Lite plugin for WordPress is susceptible to unauthorized data modification due to a lack of proper capability checks in the uip_save_form_as_option() function. This vulnerability affects all versions up to and including 3.5.04, enabling authenticated attackers with Subscriber-level access and higher to alter arbitrary site options. Exploiting this flaw could allow attackers to change default registration roles to administrator and enable user registrations, ultimately granting them administrative access to vulnerable WordPress installations.

Affected Version(s)

UiPress lite | Effortless custom dashboards, admin themes and pages * <= 3.5.04

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/uipress-lite/t...

https://plugins.trac.wordpress.org/changeset/3249865/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 7, 2025
Vulnerability Reserved
Feb 14, 2025

Credit

Dale Mavers