Vulnerabilities and security researches foracf-frontend-form-element acf-frontend-form-element

Direction: ascending

Jun 07, 2024

Frontend Admin by DynamiApps # 8426e9b4f12fe9484287dd6ae159cc1b36c15109

CVE, Research URL: 8426e9b4f12fe9484287dd6ae159cc1b36c15109
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Feb 28, 2022
Research Description: Frontend Admin by DynamiApps [acf-frontend-form-element] < 3.8.0 WordPress "ACF Frontend – Add and edit posts, pages, users and more all from the frontend" plugin < 3.3.33 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress "ACF Frontend – Add and edit posts, pages, users and more all from the frontend" plugin (versions < 3.3.33).
Affected versions: max 3.8.0.
Status: vulnerable

Frontend Admin by DynamiApps # CVE-2023-51411

CVE, Research URL: CVE-2023-51411
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Dec 29, 2023
Research Description: Unrestricted Upload of File with Dangerous Type vulnerability in Shabti Kaplan Frontend Admin by DynamiApps.This issue affects Frontend Admin by DynamiApps: from n/a through 3.18.3.
Affected versions: max 3.18.4.
Status: vulnerable

Frontend Admin by DynamiApps # CVE-2024-3729

CVE, Research URL: CVE-2024-3729
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: May 02, 2024
Research Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'fea_encrypt' function in all versions up to, and including, 3.19.4. This makes it possible for unauthenticated attackers to manipulate the user processing forms, which can be used to add and edit administrator user for privilege escalation, or to automatically log in users for authentication bypass, or manipulate the post processing form that can be used to inject arbitrary web scripts. This can only be exploited if the 'openssl' php extension is not loaded on the server.
Affected versions: max 3.19.5.
Status: vulnerable

Nov 15, 2024

Frontend Admin by DynamiApps # CVE-2022-4974

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 3.3.33.
Status: vulnerable

Dec 15, 2024

Frontend Admin by DynamiApps # CVE-2024-11720

CVE, Research URL: CVE-2024-11720
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Dec 14, 2024
Research Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via submission forms in all versions up to, and including, 3.24.5 due to insufficient input sanitization and output escaping on the new Taxonomy form. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when lower-level users have been granted access to submit specific forms, which is disabled by default.
Affected versions: max 3.25.1.
Status: vulnerable

Frontend Admin by DynamiApps # CVE-2024-11721

CVE, Research URL: CVE-2024-11721
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Dec 14, 2024
Research Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.24.5. This is due to insufficient controls on the user role select field when utilizing the 'Role' field in a form. This makes it possible for unauthenticated attackers to create new administrative user accounts, even when the administrative user role has not been provided as an option to the user, granted that unauthenticated users have been provided access to the form.
Affected versions: max 3.25.1.
Status: vulnerable

Dec 22, 2024

Frontend Admin by DynamiApps # CVE-2024-11722

CVE, Research URL: CVE-2024-11722
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Dec 21, 2024
Research Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.25.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This requires an unauthenticated user to have been given permission to view form submissions, and the form submission shortcode be added to a page.
Affected versions: max 3.25.2.
Status: vulnerable

Feb 27, 2025

Frontend Admin by DynamiApps # CVE-2025-26987

CVE, Research URL: CVE-2025-26987
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Feb 25, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Reflected XSS. This issue affects Frontend Admin by DynamiApps: from n/a through 3.25.17.
Affected versions: max 3.25.18.
Status: vulnerable

Jul 03, 2025

Frontend Admin by DynamiApps # CVE-2025-49303

CVE, Research URL: CVE-2025-49303
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Jul 04, 2025
Research Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Path Traversal. This issue affects Frontend Admin by DynamiApps: from n/a through 3.28.7.
Affected versions: max 3.28.8.
Status: vulnerable

Aug 16, 2025

Frontend Admin by DynamiApps # CVE-2025-49267

CVE, Research URL: CVE-2025-49267
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Aug 14, 2025
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Blind SQL Injection. This issue affects Frontend Admin by DynamiApps: from n/a through 3.28.3.
Affected versions: max 3.28.5.
Status: vulnerable

Dec 10, 2025

Frontend Admin by DynamiApps # CVE-2025-13342

CVE, Research URL: CVE-2025-13342
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Dec 03, 2025
Research Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms.
Affected versions: max 3.28.21.
Status: vulnerable

Jan 28, 2026

Frontend Admin by DynamiApps # CVE-2025-14736

CVE, Research URL: CVE-2025-14736
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Jan 09, 2026
Research Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field.
Affected versions: max 3.28.26.
Status: vulnerable

Frontend Admin by DynamiApps # CVE-2025-14937

CVE, Research URL: CVE-2025-14937
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Jan 09, 2026
Research Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.28.24.
Status: vulnerable

Frontend Admin by DynamiApps # CVE-2025-14741

CVE, Research URL: CVE-2025-14741
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Jan 09, 2026
Research Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.
Affected versions: max 3.28.26.
Status: vulnerable

Apr 13, 2026

Frontend Admin by DynamiApps # CVE-2026-3328

CVE, Research URL: CVE-2026-3328
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: Mar 26, 2026
Research Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
Affected versions: max 3.28.32.
Status: vulnerable

May 16, 2026

Frontend Admin by DynamiApps # CVE-2026-6228

CVE, Research URL: CVE-2026-6228
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: May 15, 2026
Research Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 3.28.36. This is due to insufficient authorization checks in the role field update mechanism combined with overly permissive capabilities for the admin_form post type. The admin_form custom post type uses 'capability_type' => 'page', which grants editors the ability to create and edit forms. When an editor creates an edit_user form, they can manipulate the form configuration to include 'administrator' in the role_options array by directly submitting POST data to wp-admin/post.php, bypassing the UI restrictions in feadmin_get_user_roles(). When the form is subsequently submitted, the pre_update_value() function in class-role.php only validates that the submitted role exists in the form's role_options array (lines 107-110), but fails to verify that the current user has permission to assign that specific role. This makes it possible for unauthenticated attackers to first register as editors (via a public new_user form), then create an edit_user form with administrator in the allowed roles, and finally use that form to escalate their own privileges to administrator.
Affected versions: max 3.29.1.
Status: vulnerable

May 30, 2026

Frontend Admin by DynamiApps # CVE-2026-7802

CVE, Research URL: CVE-2026-7802
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: May 28, 2026
Research Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= value, enabling full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have its 'Roles' configuration setting left empty; when a non-empty roles list is configured, load_data() sets the user ID to 'none' for users whose roles fall outside the allowed list, preventing administrators from being targeted through that form.
Affected versions: max 3.29.3.
Status: vulnerable

Frontend Admin by DynamiApps # CVE-2026-6226

CVE, Research URL: CVE-2026-6226
Home page URL: Security reports for Frontend Admin by DynamiApps
Application: Frontend Admin by DynamiApps
Date: May 28, 2026
Research Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST['_acf_form'] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action's run() function falls back to attacker-controlled field definitions from $form['fields'] when legitimate fields cannot be found. The role field's pre_update_value() validation reads $field['role_options'] from this attacker-controlled definition, allowing an attacker to specify ['administrator'] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.
Affected versions: max 3.29.3.
Status: vulnerable