CVE-2025-3053: 
WordPress vulnerability analysis and mitigation

The UiPress lite WordPress plugin, which provides custom dashboards and admin themes, contains a Remote Code Execution vulnerability (CVE-2025-3053) affecting all versions up to and including 3.5.07. The vulnerability exists in the uipprocessform_input() function, which accepts user-supplied inputs to execute arbitrary functions without proper capability checks (NVD).

The vulnerability stems from the uipprocessform_input() function's implementation, which allowed execution of arbitrary functions with arbitrary data without proper authorization controls. The issue has a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to execute arbitrary code on the server, potentially leading to complete server compromise (NVD).

The vulnerability has been addressed in version 3.5.08 of the plugin by disabling the ability to pass form data to user-specified functions. The patch includes an error message stating 'Passing form data to user specified functions has been disabled to prevent potential security issues' (WordPress Plugin).