Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in UiPress UiPress lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through 3.5.09.
AnalysisAI
UiPress Lite versions through 3.5.09 contain a missing authorization vulnerability (CWE-862) that allows authenticated users to exploit incorrectly configured access control security levels, enabling privilege escalation or unauthorized resource access. An attacker with low-level user credentials can bypass authorization checks to access or modify functionality restricted to higher-privilege roles. The vulnerability has a CVSS score of 6.3 with network-based attack vector requiring only low privileges, indicating moderate real-world exploitability.
Technical ContextAI
The vulnerability exists in the UiPress Lite WordPress plugin (cpe:2.3:a:uipress:uipress_lite:*:*:*:*:*:*:*:*), which is a user interface customization tool for WordPress. The root cause falls under CWE-862 (Missing Authorization), meaning the application fails to properly verify user permissions before allowing access to sensitive operations or resources. Rather than a cryptographic or authentication flaw, this is an access control configuration issue where the plugin does not consistently enforce role-based permission checks across its functions. WordPress plugins often misimplement capability checks when extending the WordPress permission system, leaving gaps where lower-privileged users (e.g., Contributors, Subscribers) can perform actions reserved for Administrators or Editors.
RemediationAI
Upgrade UiPress Lite to version 3.5.10 or later, which contains fixes for the access control vulnerability (consult the vendor advisory at https://patchstack.com/database/wordpress/plugin/uipress-lite/vulnerability/wordpress-uipress-lite-plugin-3-5-09-broken-access-control-vulnerability?_s_id=cve for the exact patched version). Immediately verify WordPress user role assignments and disable or restrict UiPress Lite functionality for lower-privileged users until the patch is applied. As a temporary workaround, use WordPress plugins like User Role Editor or Capability Manager to explicitly revoke sensitive capabilities from lower-privilege roles, or disable the UiPress Lite plugin entirely until patching is feasible.
More in Uipress Lite
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13067