CVE-2025-11815 is an improper authorization vulnerability (CWE-285) found in the UiPress lite WordPress plugin, which provides custom dashboards, admin themes, and pages. The vulnerability arises from the absence of a proper capability check in the uip_save_site_option() function, which is responsible for saving site options via AJAX. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this function and modify arbitrary plugin settings without sufficient permission validation. Other AJAX actions within the plugin are similarly affected, broadening the attack surface. Since Subscribers typically have very limited access, this vulnerability effectively escalates their ability to alter administrative plugin configurations, potentially leading to further privilege escalation or persistent malicious changes. The vulnerability is remotely exploitable over the network without user interaction, increasing its risk profile. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the low complexity of attack and limited impact on confidentiality and availability but a clear impact on integrity. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects all versions up to and including 3.5.08 of the plugin.

The primary impact of this vulnerability is unauthorized modification of plugin settings, which compromises the integrity of the affected WordPress site’s administrative interface. Attackers with Subscriber-level access can alter configurations, potentially enabling further privilege escalation, persistent backdoors, or disruption of site management workflows. While it does not directly expose sensitive data or cause denial of service, the ability to change plugin settings can facilitate subsequent attacks, including injection of malicious code or disabling security controls. Organizations relying on UiPress lite for custom dashboards and admin themes are at risk of unauthorized administrative changes, which can undermine trust and operational stability. The vulnerability’s ease of exploitation and broad affected version range increase the likelihood of exploitation in environments where patching is delayed. Given WordPress’s widespread use globally, the impact can be significant for websites using this plugin, especially those with multiple user roles and contributors.

1. Immediate mitigation involves restricting Subscriber-level users from accessing or invoking the affected AJAX actions by implementing custom capability checks or disabling the plugin’s AJAX endpoints until a patch is available. 2. Monitor and audit user activities related to plugin settings changes to detect unauthorized modifications promptly. 3. Apply the principle of least privilege by reviewing and minimizing user roles and permissions, ensuring that only trusted users have elevated access. 4. Regularly update the UiPress lite plugin once the vendor releases a patch addressing this vulnerability. 5. Consider deploying a Web Application Firewall (WAF) with rules to detect and block suspicious AJAX requests targeting the vulnerable functions. 6. Backup site configurations and plugin settings frequently to enable quick restoration in case of unauthorized changes. 7. Educate site administrators and users about the risks of unauthorized access and the importance of strong authentication practices.