Skip to main content

Uipress Lite CVE-2026-27091

| EUVDEUVD-2026-13067 MEDIUM
Missing Authorization (CWE-862)
2026-03-19 Patchstack
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 19, 2026 - 07:15 euvd
EUVD-2026-13067
Analysis Generated
Mar 19, 2026 - 07:15 vuln.today
CVE Published
Mar 19, 2026 - 06:48 nvd
MEDIUM 6.3

DescriptionCVE.org

Missing Authorization vulnerability in UiPress UiPress lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through 3.5.09.

AnalysisAI

UiPress Lite versions through 3.5.09 contain a missing authorization vulnerability (CWE-862) that allows authenticated users to exploit incorrectly configured access control security levels, enabling privilege escalation or unauthorized resource access. An attacker with low-level user credentials can bypass authorization checks to access or modify functionality restricted to higher-privilege roles. The vulnerability has a CVSS score of 6.3 with network-based attack vector requiring only low privileges, indicating moderate real-world exploitability.

Technical ContextAI

The vulnerability exists in the UiPress Lite WordPress plugin (cpe:2.3:a:uipress:uipress_lite:*:*:*:*:*:*:*:*), which is a user interface customization tool for WordPress. The root cause falls under CWE-862 (Missing Authorization), meaning the application fails to properly verify user permissions before allowing access to sensitive operations or resources. Rather than a cryptographic or authentication flaw, this is an access control configuration issue where the plugin does not consistently enforce role-based permission checks across its functions. WordPress plugins often misimplement capability checks when extending the WordPress permission system, leaving gaps where lower-privileged users (e.g., Contributors, Subscribers) can perform actions reserved for Administrators or Editors.

RemediationAI

Upgrade UiPress Lite to version 3.5.10 or later, which contains fixes for the access control vulnerability (consult the vendor advisory at https://patchstack.com/database/wordpress/plugin/uipress-lite/vulnerability/wordpress-uipress-lite-plugin-3-5-09-broken-access-control-vulnerability?_s_id=cve for the exact patched version). Immediately verify WordPress user role assignments and disable or restrict UiPress Lite functionality for lower-privileged users until the patch is applied. As a temporary workaround, use WordPress plugins like User Role Editor or Capability Manager to explicitly revoke sensitive capabilities from lower-privilege roles, or disable the UiPress Lite plugin entirely until patching is feasible.

Share

CVE-2026-27091 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy