CVE-2025-10938 is a vulnerability classified under CWE-862 (Missing Authorization) found in the UiPress lite plugin for WordPress, a tool used to create custom dashboards, admin themes, and pages. The flaw exists in all versions up to and including 3.5.08 due to the absence of proper capability checks within the 'uip_process_block_query' AJAX function. This function is accessible to authenticated users with subscriber-level privileges or higher, who normally have limited access rights. Because the plugin fails to verify whether the requesting user has the appropriate permissions, these users can query and retrieve sensitive user information such as password hashes, email addresses, and other personal data. This exposure does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The vulnerability impacts confidentiality (C:H) but does not affect integrity or availability. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, resulting in a score of 6.5 (medium severity). Although no public exploits are currently known, the vulnerability poses a significant risk for account takeover and further privilege escalation if exploited. The lack of patches at the time of publication necessitates immediate attention from administrators using this plugin.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive user data, including password hashes and emails, potentially enabling attackers to perform account takeover attacks. This risk is particularly critical for organizations that rely on WordPress sites for customer engagement, internal portals, or e-commerce, where user data confidentiality is paramount. Exposure of password hashes could facilitate offline brute-force attacks, increasing the likelihood of credential compromise. The vulnerability affects subscriber-level authenticated users, which means that even low-privilege users or compromised accounts could be leveraged to escalate attacks. This could result in data breaches, reputational damage, regulatory penalties under GDPR, and operational disruptions. Organizations with large user bases or those handling sensitive personal data are at higher risk. The absence of known exploits currently provides a window for mitigation, but the ease of exploitation and network accessibility make timely remediation critical.

European organizations should immediately audit their WordPress installations to identify the presence of the UiPress lite plugin and its version. Since no official patches are available at the time of this report, administrators should consider the following mitigations: 1) Restrict access to the affected AJAX endpoint by implementing web application firewall (WAF) rules that block or limit requests to 'uip_process_block_query' from untrusted or low-privilege users. 2) Enforce strict user role management to minimize the number of users with subscriber-level or higher access, and monitor for suspicious account activity. 3) Temporarily disable or uninstall the UiPress lite plugin if it is not essential to reduce the attack surface. 4) Monitor logs for unusual AJAX requests or data exfiltration attempts related to the plugin. 5) Prepare to apply patches or updates as soon as they are released by the vendor. 6) Educate site administrators on the importance of plugin security and timely updates. 7) Consider implementing multi-factor authentication (MFA) to reduce the risk of account takeover even if credentials are compromised.