Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
Published: 2026-03-26
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a PHP Object Injection resulting from the uncontrolled deserialization of the 'post_content' field in admin_form posts. Because the plugin uses WordPress's maybe_unserialize() without class restrictions, an authenticated user with Editor-level permissions can craft a payload that results in a PHP object being instantiated. When combined with a PHP Object Poisoning chain, this allows execution of arbitrary code, effectively granting the attacker remote code execution privileges. This is a serious flaw identified as CWE‑502.

Affected Systems

Affected systems are WordPress sites that have the Frontend Admin by DynamiApps plugin installed at any version up to and including 3.28.31. No specific hardware or OS platform is mentioned; the risk applies to every environment that hosts the vulnerable plugin, regardless of other configurations.

Risk and Exploitability

With a CVSS score of 7.2 the vulnerability presents a high potential for impact, but its exploitation requires an authenticated role of Editor or higher. The lack of an EPSS score and its absence from the KEV catalog suggest that we currently have no data on active exploitation but the possibility remains. Site administrators should treat this as a high risk and seek a remediation promptly. The attack vector is likely through the plugin’s admin interface, where an attacker can submit a crafted post_content value that triggers the vulnerable deserialization path.

Generated by OpenCVE AI on March 26, 2026 at 04:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to the latest version (≥3.28.32) where the deserialization issue has been fixed.
  • If an update cannot be performed immediately, consider disabling the plugin or removing it from the site until a patch is available.
  • Restrict user roles to ensure that only trusted administrators have Editor or higher privileges, and prevent non-admin users from creating or editing admin_form posts.
  • As a temporary measure, manually sanitize or remove the 'post_content' field in existing admin_form posts, or disable the use of post_content in forms until a fix is applied.

Generated by OpenCVE AI on March 26, 2026 at 04:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Shabti
Shabti frontend Admin By Dynamapps
Wordpress
Wordpress wordpress
Vendors & Products Shabti
Shabti frontend Admin By Dynamapps
Wordpress
Wordpress wordpress

Thu, 26 Mar 2026 03:45:00 +0000

Type Values Removed Values Added
Description The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
Title Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Shabti Frontend Admin By Dynamapps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:48.534Z

Reserved: 2026-02-27T14:10:06.693Z

Link: CVE-2026-3328

cve-icon Vulnrichment

Updated: 2026-03-26T17:48:46.633Z

cve-icon NVD

Status : Deferred

Published: 2026-03-26T04:17:11.663

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-3328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:08:46Z

Weaknesses