Tiangong Team

Name of the Vulnerable Software and Affected Versions: UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress versions up to, and including, 3.5.07 Description: The issue is related to Remote Code Execution in the UiPress lite plugin for WordPress. This is due to the `uip process form input()` function taking user-supplied inputs to execute arbitrary functions with arbitrary data, and does not have any sort of capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary code on the server. Recommendations: For versions up to, and including, 3.5.07, update to a version higher than 3.5.07 to resolve the issue. As a temporary workaround, consider disabling the `uip process form input()` function until a patch is available. Restrict access to the plugin to minimize the risk of exploitation.