CVE-2026-27091
Missing Authorization in UiPress Lite Allows Unauthorized Access
Publication date: 2026-03-19
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | uipress_lite | to 3.5.09 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the Patchstack mitigation rule designed to block attacks exploiting this vulnerability until an official patch is released.
Users should update the UiPress lite plugin to a patched version as soon as it becomes available.
In the meantime, seek assistance from your hosting provider or web developer to implement protective measures.
Can you explain this vulnerability to me?
CVE-2026-27091 is a Missing Authorization vulnerability in the WordPress UiPress lite plugin versions up to and including 3.5.09. It is a Broken Access Control issue caused by missing authorization, authentication, or nonce token checks in certain plugin functions.
This flaw allows unprivileged users, such as subscribers or developers, to perform actions that normally require higher privileges, potentially compromising the security of the affected website.
The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control and has a medium severity with a CVSS score of 6.3.
How can this vulnerability impact me? :
This vulnerability can allow attackers with low-level privileges (such as subscribers or developers) to perform unauthorized actions that require higher privileges, potentially leading to unauthorized access or modification of website data.
Such exploitation can compromise the integrity, confidentiality, and availability of the affected WordPress site.
Additionally, this vulnerability is commonly targeted in mass campaigns affecting many websites regardless of their traffic or popularity.
Currently, no official patch is available, but mitigation rules from Patchstack can help block attacks until a patch is released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability arises from missing authorization and authentication checks in the UiPress lite WordPress plugin, allowing lower-privileged users to perform higher-privilege actions.
There is no specific detection command or signature provided in the available resources.
To detect exploitation attempts, monitoring for unusual access patterns or unauthorized actions performed by subscriber or developer roles within the WordPress site may help.
Additionally, applying web application firewall (WAF) rules, such as those provided by Patchstack, can help detect and block exploit attempts.