Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= value, enabling full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have its 'Roles' configuration setting left empty; when a non-empty roles list is configured, load_data() sets the user ID to 'none' for users whose roles fall outside the allowed list, preventing administrators from being targeted through that form.
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Frontend Admin by DynamiApps plugin for WordPress contains an authorization bypass that allows authenticated users with subscriber-level access or higher to overwrite key administrator fields such as password, email, first and last name. This flaw originates from failing to verify proper authorization when processing the user_id query parameter in the Edit-User form, which leads to a full administrator account takeover. The vulnerability is categorized as CWE‑862 Missing Authorization.

Affected Systems

Affected products include the Frontend Admin by DynamiApps plugin, affecting all releases version 3.29.2 and earlier. The issue persists until a fixed version is released beyond the 3.29.2 threshold.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as High severity. Exploitation requires the attacker to be authenticated with at least subscriber privileges and to target the Edit-User form whose 'Roles' setting is left empty; if the form is restricted to specific roles, the vulnerability is mitigated. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating current public exploitation may still be limited but the potential impact warrants immediate remediation.

Generated by OpenCVE AI on May 28, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Frontend Admin by DynamiApps plugin to the latest release that includes the authorization bypass fix.
  • Configure the Edit‑User form’s ‘Roles’ setting to include only the administrator role, preventing subscribers from targeting admin accounts via the user_id parameter.
  • Review the permissions granted to subscriber‑level accounts and restrict or remove access to the Edit‑User form for low‑privilege roles.

Generated by OpenCVE AI on May 28, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.36/main/frontend/forms/actions/user.php#L565 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.36/main/frontend/forms/actions/user.php#L636 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.36/main/frontend/forms/classes/submit.php#L110 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.36/main/frontend/forms/classes/submit.php#L392 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.29.1/main/frontend/forms/actions/user.php#L565 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.29.1/main/frontend/forms/actions/user.php#L636 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.29.1/main/frontend/forms/classes/submit.php#L110 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.29.1/main/frontend/forms/classes/submit.php#L392 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/actions/user.php#L565 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/actions/user.php#L636 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/classes/submit.php#L110 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/classes/submit.php#L392 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3525193%40acf-frontend-form-element&new=3525193%40acf-frontend-form-element&sfp_email=&sfph_mail= cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/cd091bd5-6b6a-4964-9249-525bbbec702c?source=cve cve-icon cve-icon
History

Thu, 28 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Shabti
Shabti frontend Admin By Dynamapps
Wordpress
Wordpress wordpress
Vendors & Products Shabti
Shabti frontend Admin By Dynamapps
Wordpress
Wordpress wordpress

Thu, 28 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= value, enabling full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have its 'Roles' configuration setting left empty; when a non-empty roles list is configured, load_data() sets the user ID to 'none' for users whose roles fall outside the allowed list, preventing administrators from being targeted through that form.
Title Frontend Admin by DynamiApps <= 3.29.2 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via 'user_id' URL Query Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Shabti Frontend Admin By Dynamapps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:37:04.253Z

Reserved: 2026-05-04T19:32:27.927Z

Link: CVE-2026-7802

cve-icon Vulnrichment

Updated: 2026-05-28T10:36:58.669Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T05:16:38.493

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-7802

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T06:00:11Z

Weaknesses