CVE-2026-2294

Published: Mar 21, 2026 Last Modified: Mar 21, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: none

Description

AI Translation Available

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_global_settings' function in all versions up to, and including, 3.5.09. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings.

285

Improper Authorization

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control
Potential Impacts:
Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands
Applicable Platforms
Technologies: Database Server, Not Technology-Specific, Web Server
Likelihood of Exploit: High
View CWE Details
https://plugins.trac.wordpress.org/browser/uipress-lite/tag…
https://plugins.trac.wordpress.org/browser/uipress-lite/tags/3.5.09/admin/core/…
https://www.wordfence.com/threat-intel/vulnerabilities/id/5…
https://www.wordfence.com/threat-intel/vulnerabilities/id/5cc00331-4c4d-44c9-90…