ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-7802 — Frontend Admin by DynamiApps Authorization Bypass Enables Full Admin Account Takeover

A brief summary of CVE-2026-7802, a missing authorization vulnerability in the Frontend Admin by DynamiApps WordPress plugin that allows subscriber level users to take over administrator accounts by manipulating a user_id URL parameter. Covers technical root cause, affected versions, vendor history, and mitigation guidance.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-27

Quick Look: CVE-2026-7802 — Frontend Admin by DynamiApps Authorization Bypass Enables Full Admin Account Takeover
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing authorization check in the Frontend Admin by DynamiApps WordPress plugin allows any authenticated subscriber to overwrite an administrator's password and email address, achieving full account takeover with nothing more than a manipulated URL parameter. With 20,000+ active installations and a design that deliberately exposes admin form handlers on the public frontend, this plugin's third CWE-862 vulnerability in six months raises serious questions about its architectural approach to access control.

Frontend Admin by DynamiApps (plugin slug: acf-frontend-form-element) is a WordPress plugin that enables site owners to display admin editing forms on the frontend of their websites, allowing users to create and edit posts, users, and other content without accessing the WordPress dashboard. It integrates with Advanced Custom Fields (ACF) and is marketed as a tool to "turn your site into a lucrative Platform as a Service." The plugin has over 20,000 active installations according to the WordPress.org plugin page.

Technical Information

Vulnerability Classification

CVE-2026-7802 falls under CWE-862: Missing Authorization, defined by MITRE as a condition where "the software does not perform an authorization check when an actor attempts to access a resource or perform an action." This distinction matters: the plugin does confirm the user is logged in (authentication), but it fails to verify whether that logged in user has permission to modify the target account (authorization).

The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a score of 8.8. Breaking this down:

  • AV:N: Exploitable remotely over the network
  • AC:L: No special conditions, race windows, or exploit chaining required
  • PR:L: Subscriber level access is sufficient (the lowest WordPress role)
  • UI:N: No interaction from the target administrator is needed
  • C:H/I:H/A:H: Full compromise of confidentiality, integrity, and availability

Root Cause

The vulnerability resides in the plugin's form submission and user profile update handlers. The affected code spans four locations:

FileLineRole
actions/user.php565User action handler
actions/user.php636User data processing
classes/submit.php110Form submission entry point
classes/submit.php392Form submission processing

When processing an Edit User form submission, the plugin accepts a user_id parameter directly from the URL query string (?user_id=) and uses it to determine which user account to modify. The critical defect is that no authorization check verifies whether the currently authenticated user has the capability to edit the account identified by that user_id value. A subscriber can supply any user ID, including that of an administrator, and the plugin will process the form submission against that target account.

The fields that can be overwritten include user_pass, user_email, first_name, last_name, and other standard WordPress profile fields.

Attack Flow

Prerequisites: The attacker needs a subscriber level WordPress account on the target site (obtainable through open registration if enabled) and the site must have at least one Edit User form with its "Roles" configuration setting left empty.

Attack Path 1: Direct Password Replacement

  1. The attacker authenticates as a subscriber.
  2. The attacker identifies an administrator's user ID. In WordPress, the first administrator account is typically user ID 1, making this trivially guessable.
  3. The attacker navigates to a frontend Edit User form that has an empty Roles configuration.
  4. The attacker appends ?user_id=1 (or the target admin's ID) to the form URL.
  5. The attacker submits the form with a new value in the user_pass field.
  6. The plugin processes the submission without authorization checks, directly replacing the administrator's password.
  7. The attacker logs in as the administrator using the new password.

Attack Path 2: Email Redirect Password Reset

  1. Steps 1 through 4 are identical to Attack Path 1.
  2. Instead of modifying user_pass, the attacker changes the user_email field to an email address they control.
  3. The attacker then uses WordPress's standard password reset flow, which sends a reset link to the (now attacker controlled) email address.
  4. The attacker completes the password reset and gains administrator access.

The second path may be preferable in scenarios where the form does not expose the user_pass field but does expose user_email.

Exploitability Constraint

A significant constraint limits the scope of exploitation: the targeted Edit User form must have its Roles configuration setting left empty. When a non empty roles list is configured on the form, the load_data() function checks the target user's role against the allowed list. If the target user's role (e.g., administrator) is not in the allowed list, load_data() sets the user ID to none, preventing the form from loading or modifying that user's data.

This means sites where every Edit User form has a properly configured roles list are not exploitable through this specific vulnerability. However, the default or unconfigured state (empty roles) is the vulnerable state, and administrators who are unaware of this setting may leave it empty.

Discovery and Disclosure

The vulnerability was discovered by security researcher Tiago Ventura (perses) and disclosed through Wordfence's vulnerability reporting program. The CVE was published to NVD on May 28, 2026. The fix is documented in WordPress Trac changeset 3525193.

Affected Systems and Versions

  • Plugin: Frontend Admin by DynamiApps (slug: acf-frontend-form-element)
  • Affected versions: All versions up to and including 3.29.2
  • Patched version: 3.29.3
  • Vulnerable configuration: Edit User forms with the "Roles" configuration setting left empty. Forms with a non empty roles list configured are not exploitable for targeting users outside the specified roles.
  • Required attacker privilege: Authenticated user with subscriber level access or above
  • Platform: WordPress

The vulnerability is confirmed present in source code for tags 3.28.36, 3.29.1, and trunk, as documented in the WordPress Trac references.

Vendor Security History

The Frontend Admin by DynamiApps plugin has accumulated a notable vulnerability history, particularly around CWE-862 Missing Authorization flaws. The following table summarizes known vulnerabilities:

CVETypeCVSSAffected VersionsPatched VersionDate
CVE-2025-13342Unauthenticated Arbitrary Options Update (CWE-862)9.8<= 3.28.203.28.21Dec 3, 2025
CVE-2025-14736Unauthenticated Privilege Escalation (CWE-862)9.8<= 3.28.253.28.26Jan 9, 2026
CVE-2025-14937Stored Cross Site ScriptingNot confirmedNot confirmedNot confirmedNot confirmed
CVE-2026-3328PHP Object InjectionNot confirmed<= 3.28.31Not confirmedMar 27, 2026
CVE-2026-6228Privilege EscalationNot confirmedNot confirmedNot confirmedMay 14, 2026
CVE-2026-7802Missing Authorization to Admin Takeover (CWE-862)8.8<= 3.29.23.29.3May 28, 2026

Three of these six vulnerabilities are CWE-862 Missing Authorization flaws, and two of those carried critical CVSS 9.8 scores. The pattern is clear: each patch addresses a specific endpoint where authorization was omitted, but the plugin lacks a centralized authorization enforcement layer. New endpoints or code paths continue to surface with the same fundamental defect.

Wordfence reported that 3 attacks were blocked within 24 hours targeting CVE-2025-13342 at the time of its disclosure, confirming that threat actors actively monitor and exploit this plugin's authorization flaws shortly after public disclosure.

The plugin was also referenced in the CISA Vulnerability Summary for the week of January 5, 2026 (bulletin SB26-012), reflecting federal level attention to its earlier vulnerabilities.

An important trend in the vulnerability history: CVE-2025-13342 and CVE-2025-14736 both required zero authentication (PR:N, CVSS 9.8), while CVE-2026-7802 requires subscriber level access (PR:L, CVSS 8.8). This suggests the vendor has partially improved authentication checks but continues to fail on authorization enforcement after authentication, reinforcing the conclusion that the plugin's access control model is fundamentally incomplete.

For organizations evaluating continued use of this plugin, the pattern of three high or critical severity authorization bypasses in six months warrants serious consideration of alternative frontend form solutions that implement capability checks as a foundational design principle.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization