Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps acf-frontend-form-element allows Reflected XSS.This issue affects Frontend Admin by DynamiApps: from n/a through <= 3.25.17.
Published: 2025-02-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting (XSS) flaw. The Frontend Admin by DynamiApps plugin does not neutralize user supplied data before it is rendered in the generated page. Consequently, malicious input can be reflected back to the visitor’s browser as executable script, allowing an attacker to run arbitrary code in the victim’s session.

Affected Systems

Affected systems are WordPress sites that use the Frontend Admin by DynamiApps plugin version 3.25.17 or earlier. The plugin, maintained by Shabti Kaplan, is referenced in the CPE as dynamiapps:frontend_admin. Any installation that has a vulnerable version is susceptible to the reflected XSS attack.

Risk and Exploitability

Risk and exploitability: The CVSS score of 7.1 indicates high severity. The EPSS score of less than 1% suggests a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred from the description: an attacker could craft a URL or form input containing malicious JavaScript that is then echoed back to the victim. The impact is the execution of arbitrary script in the victim’s browser. Potential secondary effects such as session hijacking or data theft are typical of XSS but are not specifically documented in the CVE description, so they are considered inferred.

Generated by OpenCVE AI on May 2, 2026 at 09:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frontend Admin by DynamiApps plugin to version 3.25.18 or later.
  • If an immediate upgrade is not feasible, disable or uninstall the plugin until a patched version is available.
  • As a temporary measure, apply output escaping or sanitization to the plugin's rendered content to mitigate script injection.

Generated by OpenCVE AI on May 2, 2026 at 09:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5374 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Reflected XSS. This issue affects Frontend Admin by DynamiApps: from n/a through 3.25.17.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Reflected XSS. This issue affects Frontend Admin by DynamiApps: from n/a through 3.25.17. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps acf-frontend-form-element allows Reflected XSS.This issue affects Frontend Admin by DynamiApps: from n/a through <= 3.25.17.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 21 May 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Dynamiapps
Dynamiapps frontend Admin
CPEs cpe:2.3:a:dynamiapps:frontend_admin:*:*:*:*:*:wordpress:*:*
Vendors & Products Dynamiapps
Dynamiapps frontend Admin

Tue, 25 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Reflected XSS. This issue affects Frontend Admin by DynamiApps: from n/a through 3.25.17.
Title WordPress Frontend Admin by DynamiApps plugin <= 3.25.17 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Dynamiapps Frontend Admin
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:46.159Z

Reserved: 2025-02-17T11:51:57.195Z

Link: CVE-2025-26987

cve-icon Vulnrichment

Updated: 2025-02-25T19:33:34.697Z

cve-icon NVD

Status : Modified

Published: 2025-02-25T15:15:31.313

Modified: 2026-04-23T15:26:11.730

Link: CVE-2025-26987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:15:26Z

Weaknesses