Description
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. This is due to the function taking user supplied inputs to execute arbitrary functions with arbitrary data, and does not have any sort of capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary code on the server.
Published: 2025-05-15
Score: 8.8 High
EPSS: 1.9% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

CVE identifies that the UiPress lite plugin for WordPress is vulnerable to remote code execution because its uip_process_form_input() function executes user‑supplied arguments without verifying the caller's privileges. This flaw allows authenticated users with Subscriber level or higher access to run arbitrary PHP code on the web server, compromising confidentiality, integrity, and availability of the site.

Affected Systems

All releases of UiPress lite up to and including version 3.5.07 are affected. WordPress sites that have installed these versions of the plugin and have it active are at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8 and an EPSS score of 2%, indicating high severity and a low but non‑zero probability of exploitation. Because it requires authenticated access, attackers must first compromise or hijack a subscriber account; from there the likely attack vector is an authenticated AJAX request to the plugin's endpoint, which triggers uip_process_form_input() and allows arbitrary code injection. The flaw is not currently listed in the CISA KEV catalog, but the combination of high impact and authenticated exploitation warrants immediate action.

Generated by OpenCVE AI on April 21, 2026 at 20:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade UiPress lite to the latest release (3.5.08 or newer) which removes the vulnerability.
  • If a patch cannot be applied immediately, temporarily disable the plugin's AJAX handling by deleting or renaming the ajax-functions.php file to prevent execution of the vulnerable function.
  • Reduce Subscriber-level access by revoking or disabling the Subscriber role for accounts that do not require it, or restrict the plugin’s usage to administrative roles only until the patch is applied.

Generated by OpenCVE AI on April 21, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15143 The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. This is due to the function taking user supplied inputs to execute arbitrary functions with arbitrary data, and does not have any sort of capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary code on the server.
History

Thu, 15 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 15 May 2025 04:45:00 +0000

Type Values Removed Values Added
Description The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. This is due to the function taking user supplied inputs to execute arbitrary functions with arbitrary data, and does not have any sort of capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary code on the server.
Title UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.07 - Authenticated (Subscriber+) Remote Code Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:08.759Z

Reserved: 2025-03-31T18:21:21.862Z

Link: CVE-2025-3053

cve-icon Vulnrichment

Updated: 2025-05-15T15:17:59.859Z

cve-icon NVD

Status : Deferred

Published: 2025-05-15T05:15:50.830

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:00:35Z

Weaknesses