Description
Missing Authorization vulnerability in UiPress UiPress lite uipress-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through <= 3.5.09.
Published: 2026-03-19
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to WordPress Administrative Features
Action: Patch Now
AI Analysis

Impact

The UiPress lite plugin for WordPress contains a Missing Authorization flaw (CWE‑862) that permits an attacker to bypass standard access controls, allowing privileged actions that should be reserved for authenticated administrators. Based on the description, it is inferred that this broken access control can enable an unauthorized user to view, modify, or delete site content and configuration settings, potentially compromising the entire site.

Affected Systems

The flaw affects UiPress lite installations by UiPress up through version 3.5.09. Any WordPress site running this plugin at version 3.5.09 or earlier is susceptible to the breach.

Risk and Exploitability

The CVSS score of 6.3 indicates medium severity. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation. Based on the description, it is inferred that the attack vector is likely remote, occurring via the WordPress web interface where the plugin resides; an attacker may require only minimal or no authentication to exploit the broken access controls. Based on the description, it is inferred that if successful, the attacker could gain full administrative access, enabling changes to site content, settings, or data.

Generated by OpenCVE AI on April 29, 2026 at 00:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the UiPress Lite plugin to the newest version or remove the plugin if it is not essential to site functionality.
  • Restrict user roles so that only administrators can access the plugin’s settings and configuration pages.
  • Audit existing WordPress accounts and eliminate any unnecessary or suspicious accounts, ensuring that only legitimate administrators retain elevated privileges.

Generated by OpenCVE AI on April 29, 2026 at 00:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in UiPress UiPress lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through 3.5.09. Missing Authorization vulnerability in UiPress UiPress lite uipress-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through <= 3.5.09.
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Uipress
Uipress uipress Lite
Wordpress
Wordpress wordpress
Vendors & Products Uipress
Uipress uipress Lite
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in UiPress UiPress lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through 3.5.09.
Title WordPress UiPress lite plugin <= 3.5.09 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Uipress Uipress Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:15:01.703Z

Reserved: 2026-02-17T13:24:05.456Z

Link: CVE-2026-27091

cve-icon Vulnrichment

Updated: 2026-03-19T14:05:04.208Z

cve-icon NVD

Status : Deferred

Published: 2026-03-19T07:15:58.263

Modified: 2026-04-23T15:37:19.230

Link: CVE-2026-27091

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:00:11Z

Weaknesses