Frontend Admin by DynamiApps < 3.28.30 – Unauthenticated Privilege Escalation to Administrator via Role Form Field | CVE 2025-14736 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Privilege Escalation due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field.

Affects Plugins

acf-frontend-form-element

Fixed in 3.28.30

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/07eb71fc-6588-490d-8947-3077ec4a9045

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

andrea bocchetti

Verified

No

WPVDB ID

f60e8df4-9f26-44ec-ab39-0191f0b89dca

Timeline

Publicly Published

2026-01-08 (about 4 months ago)

Added

2026-01-08 (about 4 months ago)

Last Updated

2026-04-21 (about 1 month ago)

Other

Published

Title

Published

2026-04-08

Title

Cart Abandonment Recovery for WooCommerce < 2.1.0 - Shop Manager+ Privilege Escalation

Published

2025-06-25

Title

Simple User Registration < 6.4 - Unauthenticated Privilege Escalation

Published

2025-07-01

Title

CouponXxL Custom Post Types < 3.1 - Unauthenticated Privilege Escalation

Published

2021-04-14

Title

Plus Addons for Elementor < 2.0.7 - Contributor+ Privilege Escalation

Published

2025-01-14

Title

User Management <= 1.2 - Authenticated (Subscriber+) Privilege Escalation