{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27091", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:24:05.456Z", "datePublished": "2026-03-19T06:48:21.913Z", "dateUpdated": "2026-03-19T14:05:15.874Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T06:48:21.913Z"}, "title": "WordPress UiPress lite plugin <= 3.5.09 - Broken Access Control vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "UiPress", "product": "UiPress lite", "collectionURL": "https://wordpress.org/plugins", "packageName": "uipress-lite", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "3.5.09", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in UiPress UiPress lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through 3.5.09.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Missing Authorization vulnerability in UiPress UiPress lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects UiPress lite: from n/a through 3.5.09.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/uipress-lite/vulnerability/wordpress-uipress-lite-plugin-3-5-09-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}], "credits": [{"lang": "en", "value": "w41bu1 | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T14:04:57.276266Z", "id": "CVE-2026-27091", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:05:15.874Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27091", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T14:04:57.276266Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:05:04.208Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress UiPress lite plugin <= 3.5.09 - Broken Access Control vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "w41bu1 | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "UiPress", "product": "UiPress lite", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "3.5.09"}], "packageName": "uipress-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/uipress-lite/vulnerability/wordpress-uipress-lite-plugin-3-5-09-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in UiPress UiPress lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through 3.5.09.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in UiPress UiPress lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects UiPress lite: from n/a through 3.5.09.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T06:48:21.913Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27091", "state": "PUBLISHED", "dateUpdated": "2026-03-19T14:05:15.874Z", "dateReserved": "2026-02-17T13:24:05.456Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T06:48:21.913Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in UiPress UiPress lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through 3.5.09."}], "id": "CVE-2026-27091", "lastModified": "2026-03-19T13:25:00.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T07:15:58.263", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/uipress-lite/vulnerability/wordpress-uipress-lite-plugin-3-5-09-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.09]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "UiPress lite", "source": "cna", "vendor": "UiPress"}, "product": "uipress_lite", "vendor": "uipress"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T08:21:18.645201+00:00", "value": {"mitigation_remediation": ["Upgrade UiPress lite to a version newer than 3.5.09 to resolve the access control flaw.", "If an update is not available or cannot be applied immediately, remove or disable the UiPress lite plugin to eliminate the vulnerable code path.", "Verify that all other WordPress core files and plugins are up\u2013to\u2013date and monitor the plugin repository or vendor announcements for a fixed version, applying it as soon as released."], "summary": {"action": "Immediate Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The broken access control affects the UiPress lite plugin for all versions from the earliest available release through 3.5.09. Consequently, any WordPress site running UiPress lite version 3.5.09 or older is exposed to this risk.", "description_and_impact": "The vulnerability is a missing authorization flaw that exposes incorrectly configured access control security levels in the UiPress lite WordPress plugin. This flaw is documented as CWE-862 and allows attackers to access or modify plugin functionality that should be restricted, potentially enabling unauthorized data manipulation or site takeover.", "risk_and_exploitability": "The CVSS score of 6.3 indicates a moderate severity. EPSS data is not available and the vulnerability has not been listed in the CISA KEV catalog, suggesting no widespread exploitation yet. Nevertheless, the flaw enables remote exploitation via web access to the plugin\u2019s administrative endpoints, and the lack of proper authentication checks makes the attack path relatively straightforward for an attacker with network visibility to the site."}}}}, "created": "2026-03-19T08:54:29.614552+00:00", "updated": "2026-03-20T14:15:45.574939+00:00", "vendors": ["uipress", "uipress$PRODUCT$uipress_lite", "wordpress", "wordpress$PRODUCT$wordpress"]}