Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-09
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Frontend Admin plugin for WordPress is vulnerable to stored cross‑site scripting because the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action is not properly sanitized or escaped. An unauthenticated attacker can submit JavaScript that is then stored in the database and will execute whenever a user loads a page containing the modified form field.

Affected Systems

The vulnerability exists in all versions of the Frontend Admin plugin from DynamiApps up to and including 3.28.23. Any WordPress site that has installed a version in this range and is exposing the AJAX endpoint is at risk.

Risk and Exploitability

With a CVSS score of 7.2 the flaw is considered high severity. The EPSS score of less than 1% suggests that exploit attempts are currently rare, and it is not present in the CISA KEV catalog. Exploitation requires no privileged access; the unauthenticated AJAX endpoint can be accessed by any user, making the attack vector simple via a crafted web request.

Generated by OpenCVE AI on April 22, 2026 at 00:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frontend Admin plugin to version 3.28.24 or later, which removes the vulnerable parameter handling.
  • If an immediate update is not possible, uninstall or disable the plugin to eliminate the exposed AJAX endpoint.
  • As a temporary measure, block unauthenticated access to the '/frontend_admin/forms/update_field' URL by adding a WAF rule or restricting the IPs that can reach it, and ensure that output from the plugin is properly escaped.

Generated by OpenCVE AI on April 22, 2026 at 00:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Dynamiapps
Dynamiapps frontend Admin
Wordpress
Wordpress wordpress
Vendors & Products Dynamiapps
Dynamiapps frontend Admin
Wordpress
Wordpress wordpress

Fri, 09 Jan 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via 'update_field'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Dynamiapps Frontend Admin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:53.635Z

Reserved: 2025-12-18T21:15:38.790Z

Link: CVE-2025-14937

cve-icon Vulnrichment

Updated: 2026-01-09T19:11:11.507Z

cve-icon NVD

Status : Deferred

Published: 2026-01-09T08:15:57.813

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14937

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses