WordPress Plugin Vulnerabilities

Frontend Admin by DynamiApps < 3.28.32 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.

Affects Plugins

Plugin icon
acf-frontend-form-element
Fixed in 3.28.32

References

CVE
CVE-2026-3328
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0faa8f07-88c1-4638-9de5-e202807866e1

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Osvaldo Noe Gonzalez Del Rio (Os)
Verified
No
WPVDB ID
6f1d89c3-00e7-4ff4-a550-f8a4ef54a593

Timeline

Publicly Published
2026-03-25 (about 1 month ago)
Added
2026-03-25 (about 1 month ago)
Last Updated
2026-03-26 (about 1 month ago)

Other

Published
Title
Published
2025-03-27
Title
Traveler < 3.2.1 - Unauthenticated PHP Object Injection
Published
2023-12-05
Title
Structured Content < 1.6 - Contributor+ PHP Object Injection
Published
2025-08-02
Title
WeMusic < 1.9.2 - Authenticated (Subscriber+) PHP Object Injection
Published
2017-10-02
Title
RegistrationMagic-Custom Registration Forms <= 3.7.9.2 - Unauthenticated PHP Object Injection
Published
2024-11-18
Title
Quick Learn <= 1.0.1 - Unauthenticated PHP Object Injection