Cybersecurity Vulnerabilities

CVE-2025-11003: Critical JavaScript Injection Vulnerability in UiPress Lite WordPress Plugin

November 21, 2025 - By 

Overview

CVE-2025-11003 is a medium-severity vulnerability affecting the UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress. This security flaw allows authenticated attackers with Subscriber-level access or higher to inject and save templates containing custom JavaScript. The vulnerability exists due to a missing capability check on the uip_save_ui_template function within the plugin.

This vulnerability impacts versions up to, and including, 3.5.08 of the UiPress Lite plugin.

Technical Details

The vulnerability resides in the uip_save_ui_template function within the UiPress Lite plugin. Specifically, the code lacks a proper capability check before allowing users to save UI templates. This means that users with minimal privileges (Subscriber and above) can save templates that include arbitrary JavaScript code.

Affected code locations:

An attacker can exploit this by crafting a malicious UI template containing JavaScript, saving it through the vulnerable function, and then triggering the execution of the injected JavaScript when the template is loaded or rendered.

CVSS Analysis

The CVSS score for CVE-2025-11003 is 6.4 (MEDIUM). The vector string provides further details:

  • CVSS Score: 6.4
  • Vector String: (Not available – derived from impact and exploitability)

This score reflects the potential for unauthorized modification of data, and the relatively low privileges required to exploit the vulnerability. While the exploit requires authentication, the ease of obtaining Subscriber-level access lowers the barrier to entry for attackers.

Possible Impact

Successful exploitation of this vulnerability could lead to several severe consequences:

  • Account Takeover: Injected JavaScript could be used to capture administrator credentials or perform actions on behalf of administrators.
  • Cross-Site Scripting (XSS): The injected JavaScript could be executed in the context of other users, leading to XSS attacks.
  • Website Defacement: Malicious JavaScript could alter the appearance or functionality of the website.
  • Data Theft: Injected code could be used to steal sensitive data from the website or its users.

Mitigation and Patch Steps

The most effective way to mitigate this vulnerability is to update the UiPress Lite plugin to the latest version. Check the WordPress plugin repository or the plugin developer’s website for updates.

Unfortunately, the provided information only specifies versions up to 3.5.08. Therefore, if you are using version 3.5.08 or earlier, immediate action is required to avoid being affected by this vulnerability.

References

Wordfence Vulnerability Report
UiPress Lite Code: UiTemplates.php
UiPress Lite Code: uiBuilder.php

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *