PT-2025-10049 · Unknown · Uipress Lite

Dale Mavers

Published

2025-03-07

Updated

2025-03-08

CVE-2025-1309

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions UiPress lite versions up to, and including, 3.5.04

Description The issue allows unauthorized modification of data, potentially leading to privilege escalation, due to a missing capability check on the uip save form as option() function. This enables authenticated attackers with Subscriber-level access or higher to update arbitrary options on the WordPress site, which can be used to gain administrative user access.

Recommendations For versions up to, and including, 3.5.04, consider disabling the uip save form as option() function until a patch is available to prevent unauthorized data modification. Restrict access to sensitive options and settings to minimize the risk of exploitation.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2025-1309

Affected Products

Uipress Lite

PT-2025-10049 · Unknown · Uipress Lite

CVE-2025-1309

Weakness Enumeration

Related Identifiers

Affected Products

References · 8