Vulnerabilities and security researches foruipress-lite uipress-lite

Jul 22, 2024

CVE, Research URL: CVE-2024-38788
Home page URL: Security reports for UiPress lite | Effortless custom dashboards, admin themes and pages
Application: UiPress lite | Effortless custom dashboards, admin themes and pages
Date: Jul 22, 2024
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bởi Admin 2020 UiPress lite allows SQL Injection.This issue affects UiPress lite: from n/a through 3.4.06.
Affected versions: max 3.4.07.
Status: vulnerable

Mar 09, 2025

CVE, Research URL: CVE-2025-1309
Home page URL: Security reports for UiPress lite | Effortless custom dashboards, admin themes and pages
Application: UiPress lite | Effortless custom dashboards, admin themes and pages
Date: Mar 07, 2025
Research Description: The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the uip_save_form_as_option() function in all versions up to, and including, 3.5.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Affected versions: max 3.5.05.
Status: vulnerable

May 15, 2025

CVE, Research URL: CVE-2025-3053
Home page URL: Security reports for UiPress lite | Effortless custom dashboards, admin themes and pages
Application: UiPress lite | Effortless custom dashboards, admin themes and pages
Date: May 15, 2025
Research Description: The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. This is due to the function taking user supplied inputs to execute arbitrary functions with arbitrary data, and does not have any sort of capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary code on the server.
Affected versions: max 3.5.08.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-11815
Home page URL: Security reports for UiPress lite | Effortless custom dashboards, admin themes and pages
Application: UiPress lite | Effortless custom dashboards, admin themes and pages
Date: Nov 21, 2025
Research Description: The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the uip_save_site_option() function in all versions up to, and including, 3.5.08. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings. Other AJAX actions are also affected.
Affected versions: max 3.5.09.
Status: vulnerable

CVE, Research URL: CVE-2025-11003
Home page URL: Security reports for UiPress lite | Effortless custom dashboards, admin themes and pages
Application: UiPress lite | Effortless custom dashboards, admin themes and pages
Date: Nov 21, 2025
Research Description: The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_ui_template' function in all versions up to, and including, 3.5.08. This makes it possible for authenticated attackers, with Subscriber-level access and above, to save templates that contain custom JavaScript.
Affected versions: max 3.5.08.
Status: vulnerable

CVE, Research URL: CVE-2025-10938
Home page URL: Security reports for UiPress lite | Effortless custom dashboards, admin themes and pages
Application: UiPress lite | Effortless custom dashboards, admin themes and pages
Date: Nov 21, 2025
Research Description: The UiPress lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.08. This is due to missing capability checks in the 'uip_process_block_query' AJAX function. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive user data including password hashes, emails, and other user information that could be used for account takeover attacks.
Affected versions: max 3.5.08.
Status: vulnerable