Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST['_acf_form'] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action's run() function falls back to attacker-controlled field definitions from $form['fields'] when legitimate fields cannot be found. The role field's pre_update_value() validation reads $field['role_options'] from this attacker-controlled definition, allowing an attacker to specify ['administrator'] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Frontend Admin by DynamiApps WordPress plugin allows an attacker to submit a custom form configuration via the unprotected _acf_form POST parameter. When the plugin receives an array instead of a form ID, it bypasses a database lookup and directly processes the supplied structure. The validation logic for the role field then reads the attacker-supplied role options, enabling the injection of an administrator role. This flaw permits an unauthenticated user to create an account with full administrative privileges, effectively compromising the entire site and all its data.

Affected Systems

WordPress installations running the Frontend Admin by DynamiApps plugin, version 3.29.2 or earlier. All releases up to and including 3.29.2 are affected; newer versions contain the fix.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalog. Attackers can exploit this remotely by crafting a POST request targeting the form submission endpoint, injecting a malicious form definition and role options. Once exploited, the attacker obtains full administrative control of the WordPress site without needing prior authentication.

Generated by OpenCVE AI on May 28, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Frontend Admin by DynamiApps WordPress plugin to version 3.29.3 or later to remediate the privilege escalation flaw.
  • If the plugin cannot be updated immediately, block unauthenticated POST requests to the form handler by configuring Apache/Nginx rules or using a security plugin to enforce authentication for form submissions.
  • Audit existing form configurations and remove any entries that permit administrator role assignment; ensure role options are limited to appropriate user capabilities.

Generated by OpenCVE AI on May 28, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Shabti
Shabti frontend Admin By Dynamapps
Wordpress
Wordpress wordpress
Vendors & Products Shabti
Shabti frontend Admin By Dynamapps
Wordpress
Wordpress wordpress

Thu, 28 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST['_acf_form'] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action's run() function falls back to attacker-controlled field definitions from $form['fields'] when legitimate fields cannot be found. The role field's pre_update_value() validation reads $field['role_options'] from this attacker-controlled definition, allowing an attacker to specify ['administrator'] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.
Title Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Privilege Escalation via Form Configuration Injection
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Shabti Frontend Admin By Dynamapps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:31:42.500Z

Reserved: 2026-04-13T14:07:38.949Z

Link: CVE-2026-6226

cve-icon Vulnrichment

Updated: 2026-05-28T10:31:37.386Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T09:16:47.903

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-6226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T10:00:11Z

Weaknesses