CVE-2026-27091

Vulnerability

Overview CVE-2026-27091 is a missing authorization vulnerability in the WordPress plugin UiPress lite (uipress-lite) affecting versions from n/a through 3.5.09. The issue stems from incorrectly configured access control security levels, meaning the plugin fails to properly verify a user's permissions before granting access to certain functions or data. This broken access control allows exploiting mechanisms that should be restricted to higher-privileged roles. [1]

Exploitation

Method Attackers can leverage this vulnerability remotely without requiring authentication or by using a low-privileged account, depending on the specific missing check. Since the plugin is widely deployed, this vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity. No special network position is necessary; an attacker needs only to send crafted requests to the vulnerable WordPress instance. [1]

Impact

Successful exploitation enables an attacker to perform unauthorized actions, potentially including modifying settings, accessing or altering data, or escalating privileges within the WordPress site. The CVSS v3 base score is 6.3 (Medium), reflecting the moderate but exploitable nature of the flaw. [1]

Mitigation

The vendor has not released a patch beyond version 3.5.09; immediate action recommended is to update the plugin to the latest available version. If updating is not possible, users should consult their hosting provider or web developer for workarounds. This vulnerability is listed with Patchstack and flagged as likely to be exploited in automated attacks. [1]