Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires that the attacker also supply a valid 'orderby' parameter in the same request, as this is necessary to reach the vulnerable code path that processes and concatenates the 'order' value into the SQL query.
Published: 2026-05-29
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Frontend Admin by DynamiApps plugin for WordPress contains a generic SQL Injection flaw (CWE‑89) in its handling of the 'order' parameter. The plugin concatenates the value of this parameter directly into an SQL query without proper escaping or parameterization, enabling an attacker who is logged in with administrator‑level privileges and supplies a valid 'orderby' argument, to inject and execute arbitrary SQL statements. Successful exploitation could result in the unauthorized extraction of sensitive data from the database, compromising confidentiality.

Affected Systems

This vulnerability affects all releases of the Frontend Admin by DynamiApps plugin up to and including version 3.28.28. WordPress users who deploy any of those versions are susceptible until the plugin is updated to a fixed version. No other vendors or products are listed as impacted by the CNA.

Risk and Exploitability

The CVSS base score of 4.9 indicates a moderate severity; the EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authenticated administrator access and the provision of both 'order' and 'orderby' parameters, its exploitation is limited to trusted users with high privileges. Nevertheless, an attacker with such access can potentially read or exfiltrate database contents, making the risk significant within the affected environment.

Generated by OpenCVE AI on May 29, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frontend Admin by DynamiApps plugin to the latest version that addresses the SQL injection vulnerability.
  • If an immediate upgrade is not possible, restrict the plugin’s functionality to trusted administrator accounts or remove the plugin entirely to prevent exploitation.
  • Implement input validation or a web application firewall rule to block malicious requests containing unexpected SQL syntax in the 'order' parameter.

Generated by OpenCVE AI on May 29, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Shabti
Shabti frontend Admin By Dynamapps
Wordpress
Wordpress wordpress
Vendors & Products Shabti
Shabti frontend Admin By Dynamapps
Wordpress
Wordpress wordpress

Fri, 29 May 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires that the attacker also supply a valid 'orderby' parameter in the same request, as this is necessary to reach the vulnerable code path that processes and concatenates the 'order' value into the SQL query.
Title Frontend Admin by DynamiApps <= 3.28.28 - Authenticated (Administrator+) SQL Injection via 'order' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Shabti Frontend Admin By Dynamapps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-29T10:05:08.058Z

Reserved: 2026-05-28T19:35:54.219Z

Link: CVE-2026-10039

cve-icon Vulnrichment

Updated: 2026-05-29T10:05:02.857Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T09:16:16.833

Modified: 2026-05-29T13:09:05.450

Link: CVE-2026-10039

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T10:30:41Z

Weaknesses