CVE-2025-10938 MEDIUM

CVE-2025-10938: UiPress lite <= 3.5.08 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

Vendor Admintwentytwenty
Product UiPress lite | Effortless custom dashboards, admin themes and pages
Weakness CWE-862 · Missing authorization
Published November 21, 2025
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The UiPress lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.08. This is due to missing capability checks in the 'uip_process_block_query' AJAX function. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive user data including password hashes, emails, and other user information that could be used for account takeover attacks.

Explanation of Vulnerability in Simple Terms

02Summary

UiPress Lite versions up to 3.5.08 lack proper authorization checks, allowing authenticated users with low privileges to read sensitive data they should not access. An attacker with a basic user account can retrieve confidential information from the site without modifying or disrupting it. Update to a version newer than 3.5.08 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive data accessible only to higher-privileged users.

Potential impact on your site

04Site Impact

Confidential information may be exposed to users who should not have access to it.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

November 21, 2025 CVE published
April 8, 2026 Record updated