CVE-2025-14741 - Vulnerability Details

- Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.

Published: 2026-01-09

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Frontend Admin plugin for WordPress lacks a capability check on the delete_object function, allowing any visitor to trigger deletion of posts, pages, products, taxonomy terms, and even user accounts. This results in direct data loss and integrity compromise. The flaw is classified as CWE-862, indicating a missing authorization control, and carries a CVSS score of 9.1, reflecting a high severity.

Affected Systems

WordPress sites using the Frontend Admin by DynamiApps plugin up to and including version 3.28.25 are affected. Sites that have not applied the 3.28.26 update or later are at risk.

Risk and Exploitability

Because the vulnerability permits access without authentication, any user on the public web interface can exploit it by submitting a delete_object request. The EPSS score is below 1%, suggesting current exploit pressure is low, yet the potential impact is severe. The flaw is not listed in the CISA KEV catalog, but the lack of an authorization check means an attacker could delete arbitrary content or accounts without restrictions. The likely attack vector is straightforward: craft a request to the delete_object endpoint from any browser or automated tool, bypassing role or capability checks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

shabti

Frontend Admin by DynamiApps

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.28.25

No data.

Vendor	Product	Confidence	Versions
Dynamiapps	Frontend Admin	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Frontend Admin plugin to version 3.28.26 or later, which contains the missing authorization check fix.
If immediate updating is impossible, remove or disable the delete_object form element from the front‑end until the plugin can be patched. This stops unauthenticated deletion attempts.
Configure a web‑application firewall or rewrite rules to block delete_object requests originating from unauthenticated sessions, ensuring only authenticated administrators can trigger deletions.

Generated by OpenCVE AI on April 22, 2026 at 00:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106
https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve

History

Fri, 09 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 09 Jan 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dynamiapps Dynamiapps frontend Admin Wordpress Wordpress wordpress
Vendors & Products		Dynamiapps Dynamiapps frontend Admin Wordpress Wordpress wordpress

Fri, 09 Jan 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.
Title		Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106 https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}`

Subscriptions

Dynamiapps Frontend Admin

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-09T07:22:11.168Z

Updated: 2026-04-08T16:53:08.443Z

Reserved: 2025-12-15T19:08:42.013Z

Link: CVE-2025-14741

Vulnrichment

Updated: 2026-01-09T19:11:34.556Z

NVD

Status : Deferred

Published: 2026-01-09T08:15:57.660

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14741

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object