CVE-2025-14741
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: Wordfence

Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14741
EUVD
EUVD-2026-1782
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dynamiapps frontend_admin to 3.28.25 (inc)
acf frontend_form_element 3.28.26
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include updating the ACF Frontend Form Element plugin to a version later than 3.28.25 where the vulnerability is fixed. If an update is not immediately possible, restrict access to the AJAX endpoints `wp_ajax_frontend_admin/delete_object` and `wp_ajax_nopriv_frontend_admin/delete_object` by implementing firewall rules or web server access controls to block unauthorized requests. Additionally, review and harden WordPress user permissions to ensure only trusted users have deletion capabilities. Monitoring and alerting on suspicious deletion activities is also recommended until the patch is applied. [2]

Executive Summary

CVE-2025-14741 is a vulnerability in the Frontend Admin by DynamiApps WordPress plugin, specifically in the 'delete_object' function. This function handles AJAX requests to delete various WordPress objects such as posts, pages, products, taxonomy terms, and user accounts. The vulnerability arises because there is a missing authorization check (capability check) on this function in all plugin versions up to and including 3.28.25. This flaw allows unauthenticated attackers to delete arbitrary content or user accounts without proper permission checks, potentially causing unauthorized data modification or deletion. [2]

Impact Analysis

This vulnerability can have a severe impact by allowing unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts on a WordPress site using the affected plugin. This can lead to loss of important content, disruption of website functionality, and compromise of user data integrity. Since attackers do not need to be authenticated, the risk of exploitation is high, potentially resulting in significant damage to the website's data and operations. [2]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized AJAX requests to the endpoints `wp_ajax_frontend_admin/delete_object` and `wp_ajax_nopriv_frontend_admin/delete_object`. You can look for suspicious POST requests containing the 'field' key and `_acf_form` and `_acf_objects` data. Commands to detect such activity might include using web server logs or network monitoring tools to filter requests, for example: `grep 'frontend_admin/delete_object' /var/log/apache2/access.log` or using tools like Wireshark or tcpdump to capture HTTP POST requests to these AJAX endpoints. Additionally, checking for unexpected deletions of posts, users, terms, or products in WordPress logs or database audit logs can help detect exploitation attempts. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14741. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart