CVE-2025-10938 is a vulnerability classified under CWE-862 (Missing Authorization) found in the UiPress lite plugin for WordPress, which provides custom dashboards, admin themes, and pages. The issue exists in all versions up to and including 3.5.08 due to the absence of proper capability checks in the 'uip_process_block_query' AJAX function. This function can be invoked by authenticated users with subscriber-level privileges or higher, allowing them to query and retrieve sensitive user information such as password hashes, email addresses, and other personal data stored within the WordPress user database. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The attacker must be authenticated (PR:L) but no additional privileges beyond subscriber are needed. The impact is primarily on confidentiality (C:H), with no direct impact on integrity or availability. The vulnerability could facilitate account takeover attacks by enabling attackers to obtain password hashes and other sensitive data that can be used for credential cracking or phishing. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. The vulnerability was reserved in September 2025 and published in November 2025. The plugin is widely used in WordPress environments that require customized admin interfaces, making it a relevant threat vector for many websites.

For European organizations, the exposure of sensitive user data such as password hashes and emails can lead to significant security incidents including account takeovers, unauthorized access to internal systems, and potential data breaches. Organizations relying on WordPress sites with the UiPress lite plugin are at risk of having subscriber-level users escalate their access or compromise other user accounts. This can affect internal portals, customer-facing websites, and any system integrated with WordPress user authentication. The breach of password hashes increases the risk of credential stuffing attacks across other corporate systems if users reuse passwords. The confidentiality breach may also lead to regulatory consequences under GDPR, especially if personal data is exposed without proper authorization. The medium severity rating reflects the moderate ease of exploitation combined with the significant impact on confidentiality. While no known exploits exist yet, the vulnerability's presence in a popular plugin means attackers may develop exploits soon, increasing urgency for mitigation.

1. Monitor the UiPress lite plugin vendor’s official channels for security updates and apply patches immediately once available. 2. Until a patch is released, implement custom authorization checks on the 'uip_process_block_query' AJAX endpoint to restrict access strictly to trusted administrator roles. 3. Review and minimize the number of users with subscriber-level or higher access, especially on publicly accessible WordPress sites. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the vulnerable function. 5. Conduct regular audits of user roles and permissions to ensure least privilege principles are enforced. 6. Monitor logs for unusual access patterns or data exfiltration attempts related to the plugin’s AJAX endpoints. 7. Educate site administrators about the risks of installing plugins without proper security vetting and encourage the use of security plugins that can detect missing authorization issues. 8. Consider isolating WordPress administrative interfaces behind VPNs or IP whitelisting to reduce exposure. 9. Enforce strong password policies and multi-factor authentication to mitigate the impact of potential credential compromise.