Skip to main content

Frontend Admin CVE-2026-7802

| EUVDEUVD-2026-32706 HIGH
Missing Authorization (CWE-862)
2026-05-28 Wordfence GHSA-pr4r-gmw2-wm5r
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 28, 2026 - 05:01 vuln.today
CVE Published
May 28, 2026 - 03:27 nvd
HIGH 8.8

DescriptionCVE.org

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= value, enabling full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have its 'Roles' configuration setting left empty; when a non-empty roles list is configured, load_data() sets the user ID to 'none' for users whose roles fall outside the allowed list, preventing administrators from being targeted through that form.

AnalysisAI

Privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows authenticated subscriber-level users to overwrite arbitrary user profile fields - including administrator passwords and email addresses - by supplying a chosen user_id parameter to a vulnerable Edit-User form. This authorization-bypass flaw (CWE-862) enables full administrator account takeover through direct password replacement or email-redirect password reset, and no public exploit identified at time of analysis. The vulnerability requires a specific misconfiguration where the form's Roles setting is left empty, which limits exploitable installs but is a common default state.

Technical ContextAI

The plugin (internally named acf-frontend-form-element, vendor 'shabti') provides frontend WordPress administrative forms allowing site visitors and members to edit their own profile via Advanced Custom Fields-driven forms. The root cause is CWE-862 (Missing Authorization): the load_data() function in frontend/forms/actions/user.php and the submit logic in frontend/forms/classes/submit.php accept a user-supplied ?user_id= parameter and apply field updates without verifying that the requesting user is authorized to modify the target account. The plugin includes a partial mitigation - when a non-empty Roles allow-list is configured, load_data() reassigns the user ID to 'none' for out-of-scope targets - but when Roles is left empty (the default for many simple member-profile forms), no role check occurs and the requesting user can target any account including administrators.

RemediationAI

Upgrade Frontend Admin by DynamiApps to a release newer than 3.29.2 once the vendor publishes a fix; the WordPress.org changeset 3525193 (https://plugins.trac.wordpress.org/changeset?old=3525193%40acf-frontend-form-element&new=3525193%40acf-frontend-form-element) reflects upstream activity on the relevant files, and an upstream fix is referenced although a tagged patched version is not independently confirmed from the provided data - verify the current installed version against the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/cd091bd5-6b6a-4964-9249-525bbbec702c. As an immediate compensating control on unpatched sites, edit every Frontend Admin Edit-User form and populate the 'Roles' configuration with a non-empty allow-list excluding 'administrator', which causes load_data() to set out-of-scope target IDs to 'none' and blocks the takeover path (trade-off: each form must be audited individually, and any form left with empty Roles remains exploitable). Additionally, restrict or disable open subscriber registration (Settings → General → 'Anyone can register') to remove the low-cost attacker foothold required by PR:L, and consider a WAF rule blocking unexpected ?user_id= parameters on the plugin's submit endpoints until the upgrade is applied.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-7802 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy