CVE-2025-14741
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dynamiapps | frontend_admin | to 3.28.25 (inc) |
| acf | frontend_form_element | 3.28.26 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14741 is a vulnerability in the Frontend Admin by DynamiApps WordPress plugin, specifically in the 'delete_object' function. This function handles AJAX requests to delete various WordPress objects such as posts, pages, products, taxonomy terms, and user accounts. The vulnerability arises because there is a missing authorization check (capability check) on this function in all plugin versions up to and including 3.28.25. This flaw allows unauthenticated attackers to delete arbitrary content or user accounts without proper permission checks, potentially causing unauthorized data modification or deletion. [2]
How can this vulnerability impact me? :
This vulnerability can have a severe impact by allowing unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts on a WordPress site using the affected plugin. This can lead to loss of important content, disruption of website functionality, and compromise of user data integrity. Since attackers do not need to be authenticated, the risk of exploitation is high, potentially resulting in significant damage to the website's data and operations. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized AJAX requests to the endpoints `wp_ajax_frontend_admin/delete_object` and `wp_ajax_nopriv_frontend_admin/delete_object`. You can look for suspicious POST requests containing the 'field' key and `_acf_form` and `_acf_objects` data. Commands to detect such activity might include using web server logs or network monitoring tools to filter requests, for example: `grep 'frontend_admin/delete_object' /var/log/apache2/access.log` or using tools like Wireshark or tcpdump to capture HTTP POST requests to these AJAX endpoints. Additionally, checking for unexpected deletions of posts, users, terms, or products in WordPress logs or database audit logs can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the ACF Frontend Form Element plugin to a version later than 3.28.25 where the vulnerability is fixed. If an update is not immediately possible, restrict access to the AJAX endpoints `wp_ajax_frontend_admin/delete_object` and `wp_ajax_nopriv_frontend_admin/delete_object` by implementing firewall rules or web server access controls to block unauthorized requests. Additionally, review and harden WordPress user permissions to ensure only trusted users have deletion capabilities. Monitoring and alerting on suspicious deletion activities is also recommended until the patch is applied. [2]