CVE-2025-14741

CRITICAL
2026-01-09 [email protected]
9.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 09, 2026 - 08:15 nvd
CRITICAL 9.1

Tags

WordPress PHP

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.

Analysis

Frontend Admin by DynamiApps (through 3.28.25) also allows unauthenticated deletion of arbitrary posts, pages, products, taxonomy terms, and user accounts due to missing capability checks.

Technical Context

The delete_object function lacks capability checks (CWE-862), allowing unauthenticated users to delete any WordPress object – posts, pages, products, taxonomy terms, and even user accounts.

Affected Products

Frontend Admin by DynamiApps through 3.28.25

Remediation

Update immediately. This plugin has two critical CVEs (this + CVE-2025-14736). Both must be patched.

Priority Score

46
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +46
POC: 0

Share

CVE-2025-14741 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy