CVE-2025-1309: CWE-862 Missing Authorization in admintwentytwenty UiPress lite | Effortless custom dashboards, admin themes and pages
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the uip_save_form_as_option() function in all versions up to, and including, 3.5.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
AI Analysis
Technical Summary
CVE-2025-1309 is a critical authorization bypass vulnerability in the UiPress lite WordPress plugin, which provides custom dashboards, admin themes, and pages. The vulnerability stems from the absence of a capability check in the uip_save_form_as_option() function, allowing authenticated users with minimal privileges (Subscriber-level or above) to update arbitrary WordPress options. This unauthorized modification can be exploited to change the default user role assigned upon registration to 'administrator' and to enable user registration if it was previously disabled. Consequently, an attacker can create new administrative accounts, gaining full control over the WordPress site. The vulnerability affects all versions up to 3.5.04 inclusive. The CVSS 3.1 base score is 8.8, indicating a high severity with network attack vector, low attack complexity, privileges required but no user interaction, and impacts on confidentiality, integrity, and availability. No patches are currently linked, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-862 (Missing Authorization). Given WordPress's widespread use and the popularity of UiPress lite for admin customization, this vulnerability poses a significant risk to many websites globally.
Potential Impact
The impact of CVE-2025-1309 is severe for organizations running WordPress sites with the UiPress lite plugin installed. Attackers with low-level authenticated access can escalate privileges to full administrator rights, effectively taking over the site. This can lead to complete loss of confidentiality, integrity, and availability of the affected WordPress installation. Attackers could install backdoors, deface websites, steal sensitive data, or use the compromised site as a launchpad for further attacks. The ability to enable user registration and assign admin roles increases the risk of persistent and stealthy compromises. Organizations relying on WordPress for business operations, e-commerce, or content management face reputational damage, financial loss, and regulatory compliance issues if exploited. The vulnerability's ease of exploitation and broad impact make it a critical threat to websites globally.
Mitigation Recommendations
To mitigate CVE-2025-1309, organizations should immediately update the UiPress lite plugin to a patched version once available. Until a patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Restricting user roles and minimizing the number of users with Subscriber-level access can reduce risk. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the uip_save_form_as_option() function may provide temporary protection. Monitoring WordPress site options for unauthorized changes, especially the default user role and registration settings, can help detect exploitation attempts. Additionally, enforcing strong authentication mechanisms and regularly auditing user accounts for unauthorized admin users will help contain potential damage. Organizations should also review their WordPress security posture, including plugin inventories and access controls, to prevent similar vulnerabilities.
Affected Countries
United States, United Kingdom, Germany, France, Canada, Australia, India, Brazil, Japan, Netherlands, Italy, Spain
CVE-2025-1309: CWE-862 Missing Authorization in admintwentytwenty UiPress lite | Effortless custom dashboards, admin themes and pages
Description
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the uip_save_form_as_option() function in all versions up to, and including, 3.5.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
AI-Powered Analysis
Technical Analysis
CVE-2025-1309 is a critical authorization bypass vulnerability in the UiPress lite WordPress plugin, which provides custom dashboards, admin themes, and pages. The vulnerability stems from the absence of a capability check in the uip_save_form_as_option() function, allowing authenticated users with minimal privileges (Subscriber-level or above) to update arbitrary WordPress options. This unauthorized modification can be exploited to change the default user role assigned upon registration to 'administrator' and to enable user registration if it was previously disabled. Consequently, an attacker can create new administrative accounts, gaining full control over the WordPress site. The vulnerability affects all versions up to 3.5.04 inclusive. The CVSS 3.1 base score is 8.8, indicating a high severity with network attack vector, low attack complexity, privileges required but no user interaction, and impacts on confidentiality, integrity, and availability. No patches are currently linked, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-862 (Missing Authorization). Given WordPress's widespread use and the popularity of UiPress lite for admin customization, this vulnerability poses a significant risk to many websites globally.
Potential Impact
The impact of CVE-2025-1309 is severe for organizations running WordPress sites with the UiPress lite plugin installed. Attackers with low-level authenticated access can escalate privileges to full administrator rights, effectively taking over the site. This can lead to complete loss of confidentiality, integrity, and availability of the affected WordPress installation. Attackers could install backdoors, deface websites, steal sensitive data, or use the compromised site as a launchpad for further attacks. The ability to enable user registration and assign admin roles increases the risk of persistent and stealthy compromises. Organizations relying on WordPress for business operations, e-commerce, or content management face reputational damage, financial loss, and regulatory compliance issues if exploited. The vulnerability's ease of exploitation and broad impact make it a critical threat to websites globally.
Mitigation Recommendations
To mitigate CVE-2025-1309, organizations should immediately update the UiPress lite plugin to a patched version once available. Until a patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Restricting user roles and minimizing the number of users with Subscriber-level access can reduce risk. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the uip_save_form_as_option() function may provide temporary protection. Monitoring WordPress site options for unauthorized changes, especially the default user role and registration settings, can help detect exploitation attempts. Additionally, enforcing strong authentication mechanisms and regularly auditing user accounts for unauthorized admin users will help contain potential damage. Organizations should also review their WordPress security posture, including plugin inventories and access controls, to prevent similar vulnerabilities.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-02-14T19:46:46.752Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b0fb7ef31ef0b54db16
Added to database: 2/25/2026, 9:35:11 PM
Last enriched: 2/25/2026, 9:53:58 PM
Last updated: 2/26/2026, 7:18:20 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumCVE-2026-2499: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tgrk Custom Logo
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.