CVE-2025-14736
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dynamiapps | frontend_admin | to 3.28.25 (inc) |
| acf | frontend_form_element | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Frontend Admin by DynamiApps WordPress plugin allows unauthenticated attackers to escalate their privileges by exploiting insufficient validation of user-supplied role values in certain functions. Specifically, attackers can register as administrators if they can access a user registration form containing a Role field, due to improper checks in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This means attackers can gain complete control over the affected WordPress site. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to register as an administrator on your WordPress site without authentication. This grants them full control over the site, including the ability to modify content, install malicious code, steal data, or disrupt site operations, leading to severe security and operational impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your WordPress site is running the Frontend Admin by DynamiApps plugin version 3.28.25 or earlier. Additionally, you can inspect user registration forms for the presence of a Role field that allows role assignment. To detect exploitation attempts, monitor logs for unusual user registrations with administrator roles. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Frontend Admin by DynamiApps plugin to a version later than 3.28.25 where the role validation logic has been fixed. The update enforces strict validation of user roles and terminates execution on invalid role assignments, preventing privilege escalation. If an update is not immediately possible, restrict access to user registration forms containing the Role field or disable user registration temporarily. [1]