Unauthorized Data Modification in UiPress Lite Plugin for WordPress
CVE-2025-1309
8.8HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 7 March 2025
What is CVE-2025-1309?
The UiPress Lite plugin for WordPress is susceptible to unauthorized data modification due to a lack of proper capability checks in the uip_save_form_as_option() function. This vulnerability affects all versions up to and including 3.5.04, enabling authenticated attackers with Subscriber-level access and higher to alter arbitrary site options. Exploiting this flaw could allow attackers to change default registration roles to administrator and enable user registrations, ultimately granting them administrative access to vulnerable WordPress installations.
Affected Version(s)
UiPress lite | Effortless custom dashboards, admin themes and pages * <= 3.5.04