CVE-2026-27091
Received Received - Intake
Missing Authorization in UiPress Lite Allows Unauthorized Access

Publication date: 2026-03-19

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Missing Authorization vulnerability in UiPress UiPress lite uipress-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through <= 3.5.09.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27091
EUVD
EUVD-2026-13067
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack uipress_lite to 3.5.09 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include applying the Patchstack mitigation rule designed to block attacks exploiting this vulnerability until an official patch is released.

Users should update the UiPress lite plugin to a patched version as soon as it becomes available.

In the meantime, seek assistance from your hosting provider or web developer to implement protective measures.

Executive Summary

CVE-2026-27091 is a Missing Authorization vulnerability in the WordPress UiPress lite plugin versions up to and including 3.5.09. It is a Broken Access Control issue caused by missing authorization, authentication, or nonce token checks in certain plugin functions.

This flaw allows unprivileged users, such as subscribers or developers, to perform actions that normally require higher privileges, potentially compromising the security of the affected website.

The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control and has a medium severity with a CVSS score of 6.3.

Impact Analysis

This vulnerability can allow attackers with low-level privileges (such as subscribers or developers) to perform unauthorized actions that require higher privileges, potentially leading to unauthorized access or modification of website data.

Such exploitation can compromise the integrity, confidentiality, and availability of the affected WordPress site.

Additionally, this vulnerability is commonly targeted in mass campaigns affecting many websites regardless of their traffic or popularity.

Currently, no official patch is available, but mitigation rules from Patchstack can help block attacks until a patch is released.

Compliance Impact

I don't know

Detection Guidance

The vulnerability arises from missing authorization and authentication checks in the UiPress lite WordPress plugin, allowing lower-privileged users to perform higher-privilege actions.

There is no specific detection command or signature provided in the available resources.

To detect exploitation attempts, monitoring for unusual access patterns or unauthorized actions performed by subscriber or developer roles within the WordPress site may help.

Additionally, applying web application firewall (WAF) rules, such as those provided by Patchstack, can help detect and block exploit attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27091. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart