The vulnerability identified as CVE-2025-10938 affects the UiPress lite plugin for WordPress, a tool designed to create custom dashboards, admin themes, and pages. The root cause is a missing authorization check (CWE-862) in the AJAX handler function 'uip_process_block_query'. This function processes requests without verifying if the authenticated user has the appropriate capabilities, allowing users with minimal privileges (subscriber-level) to access sensitive user information. Exploiting this flaw enables attackers to extract password hashes, email addresses, and other user metadata, which can be leveraged for further attacks such as credential stuffing or phishing campaigns. The CVSS v3.1 score of 6.5 reflects a medium severity rating, with the vector indicating network attack vector, low attack complexity, requiring privileges but no user interaction, and high confidentiality impact without affecting integrity or availability. The vulnerability affects all versions up to and including 3.5.08 of the plugin. No patches or fixes have been linked yet, and no active exploitation has been reported. The vulnerability's presence in a widely used WordPress plugin increases the risk profile for websites relying on UiPress lite for administrative customization.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive user information, including password hashes and email addresses. This exposure can lead to account takeover attacks, especially if password hashes are weak or reused elsewhere. Organizations running WordPress sites with UiPress lite installed are at risk of user data compromise, which can damage reputation, lead to regulatory penalties under data protection laws, and cause operational disruptions if attackers escalate privileges or conduct further attacks. Since the flaw requires only subscriber-level access, attackers may gain initial footholds through compromised low-privilege accounts or social engineering. The vulnerability does not affect system integrity or availability directly but significantly undermines confidentiality, increasing the risk of broader security incidents.

Administrators should immediately audit their WordPress installations to identify if UiPress lite is installed and determine the version in use. Until an official patch is released, consider disabling the plugin or restricting access to authenticated users with higher privileges only. Implement additional access controls at the web server or application firewall level to block unauthorized AJAX requests targeting 'uip_process_block_query'. Monitor user accounts for suspicious activity, especially those with subscriber roles, and enforce strong password policies and multi-factor authentication to reduce the risk of account takeover. Regularly check for updates from the vendor and apply patches promptly once available. Additionally, review and harden WordPress security configurations to limit the impact of compromised low-privilege accounts.