Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.29. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field.
Published: 2026-01-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Update
AI Analysis

Impact

The Frontend Admin by DynamiApps WordPress plugin allows an unauthenticated attacker to register as an administrator because the plugin fails to properly validate role inputs in internal validation, pre_update, and display functions. This flaw, identified as CWE‑269 (Improper Control of Privileged Access), directly enables an attacker to gain full site control, compromising confidentiality, integrity, and availability for the entire WordPress installation.

Affected Systems

All users of the Frontend Admin by DynamiApps plugin running WordPress, with any installation of version 3.28.29 or earlier, are affected. The vulnerability is present in every build up to and including 3.28.29 and thus applies to all sites that have not upgraded beyond that release.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity level, yet the EPSS score of less than 1% suggests that exploitation is currently unlikely. The flaw is not listed in CISA’s KEV catalog. The attack requires access to a user registration page that contains a Role field; any visitor who can submit the form with arbitrary role data can promote themselves to administrator. Because the attacker can achieve this without authentication, the risk to organizations that expose such forms is substantial, but the low exploitation probability mitigates immediate concern.

Generated by OpenCVE AI on April 22, 2026 at 20:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frontend Admin by DynamiApps plugin to a version newer than 3.28.29 to ensure proper role validation is applied.
  • Remove or disable the Role field from public registration forms so that untrusted users cannot submit privileged role values.
  • Restrict access to the registration page to authenticated or trusted users so that only authorized accounts can be created with elevated privileges.

Generated by OpenCVE AI on April 22, 2026 at 20:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field. The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.29. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field.
Title Frontend Admin by DynamiApps <= 3.28.25 - Unauthenticated Privilege Escalation to Administrator via Role Form Field Frontend Admin by DynamiApps <= 3.28.29 - Unauthenticated Privilege Escalation to Administrator via Role Form Field
References

Fri, 09 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Shabti
Shabti frontend Admin By Dynamapps
Wordpress
Wordpress wordpress
Vendors & Products Shabti
Shabti frontend Admin By Dynamapps
Wordpress
Wordpress wordpress

Fri, 09 Jan 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field.
Title Frontend Admin by DynamiApps <= 3.28.25 - Unauthenticated Privilege Escalation to Administrator via Role Form Field
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Shabti Frontend Admin By Dynamapps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:05.628Z

Reserved: 2025-12-15T18:33:44.721Z

Link: CVE-2025-14736

cve-icon Vulnrichment

Updated: 2026-01-09T17:05:26.344Z

cve-icon NVD

Status : Deferred

Published: 2026-01-09T07:16:01.333

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:15:20Z

Weaknesses