{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2294", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-10T16:06:55.282Z", "datePublished": "2026-03-21T03:26:48.399Z", "dateUpdated": "2026-04-08T16:55:41.106Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:41.106Z"}, "affected": [{"vendor": "admintwentytwenty", "product": "UiPress lite | Effortless custom dashboards, admin themes and pages", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.09", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_global_settings' function in all versions up to, and including, 3.5.09. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings."}], "title": "UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cc00331-4c4d-44c9-9068-bd7320f9d4a5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/uipress-lite/tags/3.5.09/admin/core/uiBuilder.php#L333"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Wittavat Thammawong"}], "timeline": [{"time": "2026-03-20T15:10:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T17:13:15.688636Z", "id": "CVE-2026-2294", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:13:22.839Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2294", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T17:13:15.688636Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:13:18.962Z"}}], "cna": {"title": "UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Wittavat Thammawong"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "admintwentytwenty", "product": "UiPress lite | Effortless custom dashboards, admin themes and pages", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.5.09"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:10:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cc00331-4c4d-44c9-9068-bd7320f9d4a5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/uipress-lite/tags/3.5.09/admin/core/uiBuilder.php#L333"}], "descriptions": [{"lang": "en", "value": "The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_global_settings' function in all versions up to, and including, 3.5.09. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:41.106Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2294", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:55:41.106Z", "dateReserved": "2026-02-10T16:06:55.282Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:48.399Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_global_settings' function in all versions up to, and including, 3.5.09. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings."}, {"lang": "es", "value": "El plugin UiPress lite | Effortless custom dashboards, admin themes and pages para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'uip_save_global_settings' en todas las versiones hasta la 3.5.09, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, cambiar configuraciones arbitrarias del plugin."}], "id": "CVE-2026-2294", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:58.360", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/uipress-lite/tags/3.5.09/admin/core/uiBuilder.php#L333"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cc00331-4c4d-44c9-9068-bd7320f9d4a5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.09]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "UiPress lite | Effortless custom dashboards, admin themes and pages", "source": "cna", "vendor": "admintwentytwenty"}, "product": "uipress_lite_|_effortless_custom_dashboards,_admin_themes_and_pages", "vendor": "admintwentytwenty"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:39:07.178311+00:00", "value": {"mitigation_remediation": ["Update the UiPress lite plugin to any version newer than 3.5.09, which removes the missing capability check."], "summary": {"action": "Apply Patch", "impact": "Unauthorized modification of plugin settings by any authenticated user with Subscriber-level access or higher, potentially altering dashboard and theme configurations"}, "threat_synthesis": {"affected_systems": "All installations of the UiPress lite WordPress plugin up to and including version\u00a03.5.09 are vulnerable. The flaw applies to every WordPress site that has the plugin installed and for which users can log in with Subscriber or higher roles.", "description_and_impact": "The vulnerability originates from a missing capability check in the 'uip_save_global_settings' function of the UiPress lite WordPress plugin, enabling any authenticated user with Subscriber or higher privileges to change the plugin\u2019s configuration. This can alter custom dashboards, admin themes, and page settings without the user\u2019s consent. The flaw does not directly expose system files or execute code, but it compromises the integrity of the admin interface and can lead to unintended UI behavior or indirect exposure through settings that influence front- or back-end functionality.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates moderate risk. EPSS data are unavailable, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is authenticated; an attacker must have a valid WordPress account with Subscriber-level rights or higher. Exploitation requires only the ability to submit a settings change, so while the technical barrier is low, the impact is confined to altering plugin configurations rather than providing remote code execution or privilege escalation. Nonetheless, sites should treat the flaw as a significant integrity concern and promptly remediate it."}}}}, "created": "2026-03-23T09:50:35.503309+00:00", "updated": "2026-03-25T14:42:08.522133+00:00", "vendors": ["admintwentytwenty", "admintwentytwenty$PRODUCT$uipress_lite_|_effortless_custom_dashboards,_admin_themes_and_pages", "wordpress", "wordpress$PRODUCT$wordpress"]}