Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 3.28.36. This is due to insufficient authorization checks in the role field update mechanism combined with overly permissive capabilities for the admin_form post type. The admin_form custom post type uses 'capability_type' => 'page', which grants editors the ability to create and edit forms. When an editor creates an edit_user form, they can manipulate the form configuration to include 'administrator' in the role_options array by directly submitting POST data to wp-admin/post.php, bypassing the UI restrictions in feadmin_get_user_roles(). When the form is subsequently submitted, the pre_update_value() function in class-role.php only validates that the submitted role exists in the form's role_options array (lines 107-110), but fails to verify that the current user has permission to assign that specific role. This makes it possible for unauthenticated attackers to first register as editors (via a public new_user form), then create an edit_user form with administrator in the allowed roles, and finally use that form to escalate their own privileges to administrator.
Published: 2026-05-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Frontend Admin plugin allows users with editor privileges to misconfigure a form that edits user roles. The plugin’s form configuration can be crafted so that the array of allowed roles lists "administrator". When the form is submitted, the code merely checks that the chosen role exists in this array and fails to verify that the current user is authorized to assign it, enabling elevation to administrator. The vulnerability resides in CWE‑269 (Improper Privilege Management). Consequently, an attacker can acquire full administrative control of a WordPress site.

Affected Systems

WordPress sites running the Frontend Admin by DynamiApps plugin up to and including version 3.28.36 are impacted. No specific supplemental product information is supplied, so any installation of this plugin version chain is considered vulnerable.

Risk and Exploitability

The CVSS score of 8.8 signals a high‑severity threat. Although the EPSS score is not available, the absence of a listing in the CISA KEV catalog suggests that no publicly known exploits are currently documented. The likely attack vector is a combination of unauthenticated user registration via the plugin’s public new_user form followed by authenticated form creation and submission. Once the attacker registers as an editor, they can craft a privileged edit_user form and exploit the lack of authorization checks to gain administrator rights. Given the plugin’s broad permissions for editors, the risk remains significant if the plugin remains outdated and publicly accessible.

Generated by OpenCVE AI on May 15, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frontend Admin to a patched version newer than 3.28.36 or uninstall the plugin if no fix is available.
  • Disable or tightly restrict the public user registration that the plugin exposes, preventing attackers from creating editor accounts.
  • Modify the admin_form post type to grant editing rights only to administrators or implement a code hook that enforces role assignment checks before saving the form configuration.

Generated by OpenCVE AI on May 15, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Shabti
Shabti frontend Admin By Dynamapps
Wordpress
Wordpress wordpress
Vendors & Products Shabti
Shabti frontend Admin By Dynamapps
Wordpress
Wordpress wordpress

Fri, 15 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 3.28.36. This is due to insufficient authorization checks in the role field update mechanism combined with overly permissive capabilities for the admin_form post type. The admin_form custom post type uses 'capability_type' => 'page', which grants editors the ability to create and edit forms. When an editor creates an edit_user form, they can manipulate the form configuration to include 'administrator' in the role_options array by directly submitting POST data to wp-admin/post.php, bypassing the UI restrictions in feadmin_get_user_roles(). When the form is subsequently submitted, the pre_update_value() function in class-role.php only validates that the submitted role exists in the form's role_options array (lines 107-110), but fails to verify that the current user has permission to assign that specific role. This makes it possible for unauthenticated attackers to first register as editors (via a public new_user form), then create an edit_user form with administrator in the allowed roles, and finally use that form to escalate their own privileges to administrator.
Title Frontend Admin by DynamiApps <= 3.28.36 - Unauthenticated Privilege Escalation via Edit User Form
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Shabti Frontend Admin By Dynamapps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-15T13:27:47.906Z

Reserved: 2026-04-13T14:13:29.483Z

Link: CVE-2026-6228

cve-icon Vulnrichment

Updated: 2026-05-15T13:27:42.878Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T09:16:16.833

Modified: 2026-05-15T14:09:15.910

Link: CVE-2026-6228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T10:30:42Z

Weaknesses