EUVD-2026-16086
GHSA-98q5-g3r5-8vrg
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's maybe_unserialize() function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
AnalysisAI
The Frontend Admin by DynamiApps plugin for WordPress contains a PHP Object Injection vulnerability affecting all versions up to and including 3.28.31. Authenticated attackers with Editor-level privileges or higher can exploit unsafe deserialization of the 'post_content' field in admin_form posts to inject malicious PHP objects and achieve remote code execution through available POP chains. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires WordPress Frontend Admin by DynamiApps plugin version 3.28.31 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS score of 7.2 (High) reflects the significant technical impact (complete compromise of confidentiality, integrity, and availability) but is somewhat mitigated by requiring high privileges (PR:H - Editor-level access). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised an Editor account through credential theft or social engineering can create or modify admin_form posts within the WordPress installation. By crafting malicious serialized PHP objects in the post_content field that leverage existing POP chains in the WordPress environment, the attacker triggers remote code execution when the plugin deserializes this content. … |
| Remediation | Site administrators should immediately update the Frontend Admin by DynamiApps plugin to a version newer than 3.28.31 that addresses this deserialization vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all users with Editor role or above and disable unnecessary accounts; document current plugin version across all WordPress instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today