{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11815", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-15T16:20:17.289Z", "datePublished": "2025-11-21T07:31:52.812Z", "dateUpdated": "2026-04-08T17:06:36.065Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:36.065Z"}, "affected": [{"vendor": "admintwentytwenty", "product": "UiPress lite | Effortless custom dashboards, admin themes and pages", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.08", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the uip_save_site_option() function in all versions up to, and including, 3.5.08. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings. Other AJAX actions are also affected."}], "title": "UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.08 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f8d7397-0201-4194-8604-057f905ef10b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/uipress-lite/trunk/admin/core/ajax-functions.php#L396"}, {"url": "https://plugins.trac.wordpress.org/changeset/3398753/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2025-11-20T19:17:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T16:16:42.358594Z", "id": "CVE-2025-11815", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T18:04:11.946Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11815", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-21T16:16:42.358594Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T16:16:46.159Z"}}], "cna": {"title": "UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.08 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "admintwentytwenty", "product": "UiPress lite | Effortless custom dashboards, admin themes and pages", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.5.08"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-20T19:17:51.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f8d7397-0201-4194-8604-057f905ef10b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/uipress-lite/trunk/admin/core/ajax-functions.php#L396"}, {"url": "https://plugins.trac.wordpress.org/changeset/3398753/"}], "descriptions": [{"lang": "en", "value": "The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the uip_save_site_option() function in all versions up to, and including, 3.5.08. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings. Other AJAX actions are also affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:36.065Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11815", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:06:36.065Z", "dateReserved": "2025-10-15T16:20:17.289Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T07:31:52.812Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the uip_save_site_option() function in all versions up to, and including, 3.5.08. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings. Other AJAX actions are also affected."}], "id": "CVE-2025-11815", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T08:15:51.750", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/uipress-lite/trunk/admin/core/ajax-functions.php#L396"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3398753/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f8d7397-0201-4194-8604-057f905ef10b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:20:11.320501+00:00", "value": {"mitigation_remediation": ["Update the UiPress lite plugin to the latest available version that includes the proper authorization checks for the affected AJAX functions.", "If an upgrade is not immediately feasible, restrict or disable the impacted AJAX endpoints through server-side access controls or by applying a temporary custom capability filter.", "Enforce stricter role management to ensure that only trusted users hold Subscriber or higher privileges and audit user permissions regularly."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Modification of Plugin Settings"}, "threat_synthesis": {"affected_systems": "WordPress sites using the UiPress lite | Effortless custom dashboards, admin themes and pages plugin, version 3.5.08 or older, by vendor admintwentytwenty.", "description_and_impact": "The UiPress lite plugin for WordPress has a missing capability check on the uip_save_site_option() AJAX function in all releases up to and including 3.5.08. An authenticated attacker with at least Subscriber-level access can invoke this endpoint and change arbitrary plugin settings. The change can alter dashboard layouts, themes, or other configuration options, potentially disrupting site appearance or behavior without granting direct code execution rights.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests the likelihood of exploitation is very low at present. The vulnerability is not listed in CISA KEV. Since the exploit requires only a valid authenticated session, the attack vector is an authenticated request; no privilege escalation beyond the existing account level is needed. The impact is confined to configuration changes rather than code execution, keeping the overall risk moderate."}}}}, "created": "2025-11-24T09:09:17.052176+00:00", "updated": "2026-04-22T12:30:16.829246+00:00", "vendors": ["uipress", "uipress$PRODUCT$uipress_lite", "wordpress", "wordpress$PRODUCT$wordpress"]}