CVE-2026-2294
UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings UpdateThe UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_global_settings' function in all versions up to, and including, 3.5.09. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings.
We have discovered 11 live websites that are affected by CVE-2026-2294.
Affected Software
| Product |  Uipress Lite |
| Category | Wordpress Plugins |
| Vulnerable Domains | 11 live websites (100% of Uipress Lite install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 2 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-285 Improper AuthorizationDetails
- Published - Mar 21, 2026
- Updated - Apr 8, 2026
Credits
- Wittavat Thammawong (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-2294 United States | 4 websites |
 Brazil | 1 websites |
 Spain | 1 websites |
 Finland | 1 websites |
 GB | 1 websites |
 Ireland | 1 websites |
 Netherlands | 1 websites |
 Thailand | 1 websites |
Website Distribution by TLD
Number of websites using CVE-2026-2294| .com | 6 websites |
| .com.br | 1 websites |
| .fi | 1 websites |
| .net | 1 websites |
| .org | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-2294
Top websites that are affected by CVE-2026-2294. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.net | Netherlands | **,***,*** | |
| **********.com | Spain | **,***,*** | |
| *****************.com | United States | **,***,*** | |
| *************.***.br | Brazil | **,***,*** | |
| **********.com | Thailand | **,***,*** | |
| ***********.ie | Ireland | **,***,*** | |
| *****.fi | Finland | **,***,*** | |
| **.********.com | GB | **,***,*** | |
| *************.com | United States | **,***,*** | |
| ***********.org | United States | **,***,*** |
FAQ
CVE-2026-2294 is Improper Authorization in Uipress Lite
A total of 11 websites have been identified as vulnerable to CVE-2026-2294, based on global website indexing conducted by WebTechSurvey.
The Uipress Lite is affected by the CVE-2026-2294 vulnerability.
Uipress Lite versions up to and including 3.5.9 are vulnerable to CVE-2026-2294.