CVE-2026-2294

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_global_settings' function in all versions up to, and including, 3.5.09. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/uipress-lite/tags/3.5.09/admin/core/uiBuilder.php#L333
https://www.wordfence.com/threat-intel/vulnerabilities/id/5cc00331-4c4d-44c9-9068-bd7320f9d4a5?source=cve

Configurations

No configuration.

History

22 Apr 2026, 21:32

Type	Values Removed	Values Added
Summary		(es) El plugin UiPress lite \| Effortless custom dashboards, admin themes and pages para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en la función 'uip_save_global_settings' en todas las versiones hasta la 3.5.09, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, cambiar configuraciones arbitrarias del plugin.

21 Mar 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-21 04:16

Updated : 2026-04-22 21:32

NVD link : CVE-2026-2294

Mitre link : CVE-2026-2294

CVE.ORG link : CVE-2026-2294

JSON object : View

Products Affected

No product.

CWE

CWE-285

Improper Authorization

4.3 /10