The vulnerability originates from a missing capability check in the 'uip_save_global_settings' function of the UiPress lite WordPress plugin, enabling any authenticated user with Subscriber or higher privileges to change the plugin’s configuration. This can alter custom dashboards, admin themes, and page settings without the user’s consent. The flaw does not directly expose system files or execute code, but it compromises the integrity of the admin interface and can lead to unintended UI behavior or indirect exposure through settings that influence front- or back-end functionality.

All installations of the UiPress lite WordPress plugin up to and including version 3.5.09 are vulnerable. The flaw applies to every WordPress site that has the plugin installed and for which users can log in with Subscriber or higher roles.

The CVSS base score of 4.3 indicates moderate risk. EPSS data are unavailable, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is authenticated; an attacker must have a valid WordPress account with Subscriber-level rights or higher. Exploitation requires only the ability to submit a settings change, so while the technical barrier is low, the impact is confined to altering plugin configurations rather than providing remote code execution or privilege escalation. Nonetheless, sites should treat the flaw as a significant integrity concern and promptly remediate it.