The UiPress lite WordPress plugin allows a template to be saved by executing the function uip_save_ui_template without verifying the user’s capability. As a result, any authenticated user who has at least Subscriber access can create or modify a template that contains arbitrary JavaScript. When a site visitor or administrator opens the page that renders the template, the injected code is executed in the visitor’s browser, giving the attacker the ability to deface the site, steal session cookies, track users, or otherwise compromise the integrity and confidentiality of the WordPress installation.

This flaw exists in the admintwentytwenty:UiPress lite plugin version 3.5.08 and all earlier releases. The vulnerability is confined to the WordPress plugin environment and only affects installations that have the unit enabled and allow non‑administrator users to edit or create UI templates. Any WordPress site that has not upgraded beyond 3.5.08 and provides template editing rights to subscribers or higher is potentially impacted.

The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of < 1% points to a low probability of exploitation at present. However, because the flaw permits stored cross‑site scripting, the impact could be severe if an attacker succeeds. The vulnerability is not cataloged in CISA’s KEV database, and no other public exploits have been reported. Attackers must be authenticated, but the minimum required privilege level is only Subscriber, which is granted to many users on a typical WordPress site. Once the malicious template is saved, any visitor to the affected page will run the injected code, making the risk both wide and immediate for users who view the crafted content.