WordPress Plugin Vulnerabilities

Frontend Admin by DynamiApps < 3.28.8 - Authenticated (Editor+) Arbitrary File Deletion

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 3.28.7. This makes it possible for authenticated attackers, with Editor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Plugin icon
acf-frontend-form-element
Fixed in 3.28.8

References

CVE
CVE-2025-49303
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8156d204-f48a-43aa-af2f-86d4aaf4f50e

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
0xd4rk5id3
Verified
No
WPVDB ID
bfb5be9e-bf6d-43de-838d-86fc37a72e95

Timeline

Publicly Published
2025-06-26 (about 10 months ago)
Added
2025-07-01 (about 10 months ago)
Last Updated
2025-07-01 (about 10 months ago)

Other

Published
Title
Published
2024-12-06
Title
FileOrganizer < 1.1.5 - Authenticated (Administrator+) Local JavaScript File Inclusion
Published
2024-06-06
Title
Ovic Importer <= 1.6.3 - Authenticated (Subscriber+) Arbitrary File Download
Published
2026-05-04
Title
Loco Translate < 2.8.3 - Translator+ Path Traversal to Limited File Read via 'ref' Parameter
Published
2025-07-17
Title
Attachment Manager <= 2.1.2 - Unauthenticated Arbitrary File Deletion
Published
2021-07-12
Title
UpdraftPlus < 1.16.59 - Admin+ Local File Inclusion