10,000 WordPress Sites Affected by Remote Code Execution Vulnerability in UiPress lite WordPress Plugin

📢 In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.  

On March 29th, 2025, we received a submission for a Remote Code Execution vulnerability in UiPress lite, a WordPress plugin with over 10,000 active installations. This vulnerability can be leveraged to execute code remotely, which makes it possible for attackers to do nearly anything like injecting backdoors, exfiltrating sensitive information, and injection malicious spam or SEO redirects just to name a few impacts.

Props to cynau1t and the TIANGONG Team who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. These researchers earned a bounty of $430.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 31, 2025. Sites using the free version of Wordfence received the same protection 30 days later on April 30, 2025.

We contacted the UiPress team on March 31, 2025, and received a response on April 2, 2025. After providing full disclosure details, and various follow-ups, the developer released the patch on May 13, 2025.

We urge users to update their sites with the latest patched version of UiPress lite, version 3.5.08 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

UiPress lite | Effortless custom dashboards, admin themes and pages

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3053

Affected Versions

Patched Version
3.5.08

Bounty
$430.00

Affected Software

UiPress Lite

Affected Software Slug

uipress-lite

Researcher

cynau1t

TIANGONG Team

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. This is due to the function taking user supplied inputs to execute arbitrary functions with arbitrary data, and does not have any sort of capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary code on the server.

More Details >

Technical Analysis

UiPress lite is a block based visual builder WordPress plugin for the WordPress admin.

Examining the code reveals that the plugin uses the uip_process_form_input() function in the uip_ajax class for input processing during form submissions.

public function uip_process_form_input()
{
  // Check security nonce and 'DOING_AJAX' global
  Ajax::check_referer();

  $data = json_decode(stripslashes($_POST["formData"]));
  $data = Sanitize::clean_input_with_code($data);

  $userFunction = sanitize_text_field($_POST["userFunction"]);

  if (!function_exists($userFunction)) {
    Ajax::error(__('Passed function doesn't exist', "uipress-lite"));
  }

  // Try to start user supplied function
  try {
    $userFunction($data);

The function used to process the form is defined from the ‘userFunction’ parameter retrieved from user input, and the data passed to the function is retrieved from the ‘formData’ parameter which is also supplied via user input. Unfortunately, there is no restriction on the function call, which means that the attacker can call an arbitrary function through the ‘userFunction’ parameter with an arbitrary parameter passed through the ‘formData’ parameter making arbitrary code injection possible.

One example of leveraging this vulnerable function call to achieve privilege escalation is that an attacker can use the wp_update_user() function to update their own user’s role to administrator.

As with all remote code execution vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.

Disclosure Timeline

March 29, 2025 – We received submissions for both a Remote Code Execution vulnerability and an Arbitrary File Deletion vulnerability in UiPress lite via the Wordfence Bug Bounty Program.
March 31, 2025 – We validated the reports and confirmed the proof-of-concept exploits.
March 31, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
March 31, 2025 – We initiated contact with the plugin vendor asking them to confirm the inbox for handling the discussion.
April 2, 2025 – The vendor confirmed the inbox for handling the discussion.
April 2, 2025 – We sent over the full disclosure details to the vendor.
April 30, 2025 – Wordfence Free users received the same protection.
May 13, 2025 – The fully patched version of the plugin, 3.5.08, was released.

Conclusion

In this blog post, we detailed a Remote Code Execution vulnerability within the UiPress lite plugin affecting versions 3.5.07 and earlier. This vulnerability allows unauthenticated threat actors to execute malicious code on the server. The vulnerability has been addressed in version 3.5.08 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of UiPress lite as soon as possible considering the critical nature of this vulnerability.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 31, 2025. Sites using the free version of Wordfence received the same protection 30 days later on April 30, 2025.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 10,000 WordPress Sites Affected by Remote Code Execution Vulnerability in UiPress lite WordPress Plugin appeared first on Wordfence.