Unauthorized Data Modification in UiPress Lite Plugin for WordPress
CVE-2025-1309

8.8HIGH

What is CVE-2025-1309?

The UiPress Lite plugin for WordPress is susceptible to unauthorized data modification due to a lack of proper capability checks in the uip_save_form_as_option() function. This vulnerability affects all versions up to and including 3.5.04, enabling authenticated attackers with Subscriber-level access and higher to alter arbitrary site options. Exploiting this flaw could allow attackers to change default registration roles to administrator and enable user registrations, ultimately granting them administrative access to vulnerable WordPress installations.

Affected Version(s)

UiPress lite | Effortless custom dashboards, admin themes and pages * <= 3.5.04

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dale Mavers
.
The Cyber Security Vulnerability Database.