WordPress Plugin Vulnerabilities

Frontend Admin by DynamiApps < 3.28.21 - Unauthenticated Arbitrary Options Update

Description

The plugin is vulnerable to unauthorized modification of arbitrary WordPress options due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms.

Proof of Concept

Affects Plugins

Plugin icon
acf-frontend-form-element
Fixed in 3.28.21

References

CVE
CVE-2025-13342
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/613f2035-3061-429b-b218-83805287e4f3

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
YC_Infosec
Verified
Yes
WPVDB ID
33f60e48-68b6-4fd6-99b2-dbad9a82c9a3

Timeline

Publicly Published
2025-12-03 (about 5 months ago)
Added
2025-12-03 (about 5 months ago)
Last Updated
2026-05-24 (about 11 hours ago)

Other

Published
Title
Published
2026-01-09
Title
Add Expires Headers & Optimized Minify < 3.3.0 - Missing Authorization
Published
2025-01-16
Title
AI Responsive Gallery Album <= 1.4 - Missing Authorization
Published
2025-09-05
Title
Ray Enterprise Translation <= 1.7.1 - Missing Authorization
Published
2024-08-16
Title
Radio Player < 2.0.74 - Missing Authorization to Player Deletion
Published
2024-07-23
Title
Social Auto Poster < 5.3.15 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update via wpw_auto_poster_update_tweet_template