CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2026-3328 – Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts
https://notcve.org/view.php?id=CVE-2026-3328
26 Mar 2026 — The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain ... • https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.27/main/admin/admin-pages/forms/settings.php#L419 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14937 – Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via 'update_field'
https://notcve.org/view.php?id=CVE-2025-14937
08 Jan 2026 — The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/changeset/3427236/acf-frontend-form-element • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14741 – Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element
https://notcve.org/view.php?id=CVE-2025-14741
08 Jan 2026 — The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts. • https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14736 – Frontend Admin by DynamiApps <= 3.28.29 - Unauthenticated Privilege Escalation to Administrator via Role Form Field
https://notcve.org/view.php?id=CVE-2025-14736
08 Jan 2026 — The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field. The Frontend Admin by Dynami... • https://plugins.trac.wordpress.org/changeset/3427243/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13342 – Frontend Admin by DynamiApps <= 3.28.20 - Unauthenticated Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2025-13342
03 Dec 2025 — The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms. • https://plugins.trac.wordpress.org/changeset/3400432/acf-frontend-form-element • CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49267 – WordPress Frontend Admin by DynamiApps plugin <= 3.28.3 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-49267
12 Aug 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Blind SQL Injection. This issue affects Frontend Admin by DynamiApps: from n/a through 3.28.3. La vulnerabilidad de neutralización incorrecta de elementos especiales utilizados en un comando SQL ('Inyección SQL') en Shabti Kaplan Frontend Admin de DynamiApps permite la inyección SQL ciega. Este problema afecta a Frontend Admin de DynamiApps desde n/d hasta l... • https://patchstack.com/database/wordpress/plugin/acf-frontend-form-element/vulnerability/wordpress-frontend-admin-by-dynamiapps-3-28-3-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49303 – WordPress Frontend Admin by DynamiApps plugin <= 3.28.7 - Arbitrary File Download Vulnerability
https://notcve.org/view.php?id=CVE-2025-49303
26 Jun 2025 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Path Traversal. This issue affects Frontend Admin by DynamiApps: from n/a through 3.28.7. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps acf-frontend-form-element allows Path Traversal.This issue affects Frontend Admin by DynamiApps: from n/a through <= 3.28.7. The Frontend... • https://patchstack.com/database/wordpress/plugin/acf-frontend-form-element/vulnerability/wordpress-frontend-admin-by-dynamiapps-3-28-7-arbitrary-file-download-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26987 – WordPress Frontend Admin by DynamiApps plugin <= 3.25.17 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-26987
23 Feb 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Reflected XSS. This issue affects Frontend Admin by DynamiApps: from n/a through 3.25.17. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps acf-frontend-form-element allows Reflected XSS.This issue affects Frontend Admin by DynamiApps: from n/a through <= 3.25.17. ... • https://patchstack.com/database/wordpress/plugin/acf-frontend-form-element/vulnerability/wordpress-frontend-admin-by-dynamiapps-plugin-3-25-17-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11722 – Frontend Admin by DynamiApps <= 3.25.1 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-11722
20 Dec 2024 — The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.25.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This requires an unauthenticated user to have b... • https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/admin/admin-pages/submissions/crud.php#L171 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 0CVE-2024-11720 – Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-11720
13 Dec 2024 — The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via submission forms in all versions up to, and including, 3.24.5 due to insufficient input sanitization and output escaping on the new Taxonomy form. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when lower-level users have been granted access to submit specific forms, which is... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3204192%40acf-frontend-form-element&new=3204192%40acf-frontend-form-element&sfp_email=&sfph_mail=#file32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •