Introduction
A missing authorization check in the Frontend Admin by DynamiApps WordPress plugin allows any authenticated subscriber to overwrite an administrator's password and email address, achieving full account takeover with nothing more than a manipulated URL parameter. With 20,000+ active installations and a design that deliberately exposes admin form handlers on the public frontend, this plugin's third CWE-862 vulnerability in six months raises serious questions about its architectural approach to access control.
Frontend Admin by DynamiApps (plugin slug: acf-frontend-form-element) is a WordPress plugin that enables site owners to display admin editing forms on the frontend of their websites, allowing users to create and edit posts, users, and other content without accessing the WordPress dashboard. It integrates with Advanced Custom Fields (ACF) and is marketed as a tool to "turn your site into a lucrative Platform as a Service." The plugin has over 20,000 active installations according to the WordPress.org plugin page.
Technical Information
Vulnerability Classification
CVE-2026-7802 falls under CWE-862: Missing Authorization, defined by MITRE as a condition where "the software does not perform an authorization check when an actor attempts to access a resource or perform an action." This distinction matters: the plugin does confirm the user is logged in (authentication), but it fails to verify whether that logged in user has permission to modify the target account (authorization).
The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a score of 8.8. Breaking this down:
- AV:N: Exploitable remotely over the network
- AC:L: No special conditions, race windows, or exploit chaining required
- PR:L: Subscriber level access is sufficient (the lowest WordPress role)
- UI:N: No interaction from the target administrator is needed
- C:H/I:H/A:H: Full compromise of confidentiality, integrity, and availability
Root Cause
The vulnerability resides in the plugin's form submission and user profile update handlers. The affected code spans four locations:
| File | Line | Role |
|---|---|---|
actions/user.php | 565 | User action handler |
actions/user.php | 636 | User data processing |
classes/submit.php | 110 | Form submission entry point |
classes/submit.php | 392 | Form submission processing |
When processing an Edit User form submission, the plugin accepts a user_id parameter directly from the URL query string (?user_id=) and uses it to determine which user account to modify. The critical defect is that no authorization check verifies whether the currently authenticated user has the capability to edit the account identified by that user_id value. A subscriber can supply any user ID, including that of an administrator, and the plugin will process the form submission against that target account.
The fields that can be overwritten include user_pass, user_email, first_name, last_name, and other standard WordPress profile fields.
Attack Flow
Prerequisites: The attacker needs a subscriber level WordPress account on the target site (obtainable through open registration if enabled) and the site must have at least one Edit User form with its "Roles" configuration setting left empty.
Attack Path 1: Direct Password Replacement
- The attacker authenticates as a subscriber.
- The attacker identifies an administrator's user ID. In WordPress, the first administrator account is typically user ID 1, making this trivially guessable.
- The attacker navigates to a frontend Edit User form that has an empty Roles configuration.
- The attacker appends
?user_id=1(or the target admin's ID) to the form URL. - The attacker submits the form with a new value in the
user_passfield. - The plugin processes the submission without authorization checks, directly replacing the administrator's password.
- The attacker logs in as the administrator using the new password.
Attack Path 2: Email Redirect Password Reset
- Steps 1 through 4 are identical to Attack Path 1.
- Instead of modifying
user_pass, the attacker changes theuser_emailfield to an email address they control. - The attacker then uses WordPress's standard password reset flow, which sends a reset link to the (now attacker controlled) email address.
- The attacker completes the password reset and gains administrator access.
The second path may be preferable in scenarios where the form does not expose the user_pass field but does expose user_email.
Exploitability Constraint
A significant constraint limits the scope of exploitation: the targeted Edit User form must have its Roles configuration setting left empty. When a non empty roles list is configured on the form, the load_data() function checks the target user's role against the allowed list. If the target user's role (e.g., administrator) is not in the allowed list, load_data() sets the user ID to none, preventing the form from loading or modifying that user's data.
This means sites where every Edit User form has a properly configured roles list are not exploitable through this specific vulnerability. However, the default or unconfigured state (empty roles) is the vulnerable state, and administrators who are unaware of this setting may leave it empty.
Discovery and Disclosure
The vulnerability was discovered by security researcher Tiago Ventura (perses) and disclosed through Wordfence's vulnerability reporting program. The CVE was published to NVD on May 28, 2026. The fix is documented in WordPress Trac changeset 3525193.
Affected Systems and Versions
- Plugin: Frontend Admin by DynamiApps (slug:
acf-frontend-form-element) - Affected versions: All versions up to and including 3.29.2
- Patched version: 3.29.3
- Vulnerable configuration: Edit User forms with the "Roles" configuration setting left empty. Forms with a non empty roles list configured are not exploitable for targeting users outside the specified roles.
- Required attacker privilege: Authenticated user with subscriber level access or above
- Platform: WordPress
The vulnerability is confirmed present in source code for tags 3.28.36, 3.29.1, and trunk, as documented in the WordPress Trac references.
Vendor Security History
The Frontend Admin by DynamiApps plugin has accumulated a notable vulnerability history, particularly around CWE-862 Missing Authorization flaws. The following table summarizes known vulnerabilities:
| CVE | Type | CVSS | Affected Versions | Patched Version | Date |
|---|---|---|---|---|---|
| CVE-2025-13342 | Unauthenticated Arbitrary Options Update (CWE-862) | 9.8 | <= 3.28.20 | 3.28.21 | Dec 3, 2025 |
| CVE-2025-14736 | Unauthenticated Privilege Escalation (CWE-862) | 9.8 | <= 3.28.25 | 3.28.26 | Jan 9, 2026 |
| CVE-2025-14937 | Stored Cross Site Scripting | Not confirmed | Not confirmed | Not confirmed | Not confirmed |
| CVE-2026-3328 | PHP Object Injection | Not confirmed | <= 3.28.31 | Not confirmed | Mar 27, 2026 |
| CVE-2026-6228 | Privilege Escalation | Not confirmed | Not confirmed | Not confirmed | May 14, 2026 |
| CVE-2026-7802 | Missing Authorization to Admin Takeover (CWE-862) | 8.8 | <= 3.29.2 | 3.29.3 | May 28, 2026 |
Three of these six vulnerabilities are CWE-862 Missing Authorization flaws, and two of those carried critical CVSS 9.8 scores. The pattern is clear: each patch addresses a specific endpoint where authorization was omitted, but the plugin lacks a centralized authorization enforcement layer. New endpoints or code paths continue to surface with the same fundamental defect.
Wordfence reported that 3 attacks were blocked within 24 hours targeting CVE-2025-13342 at the time of its disclosure, confirming that threat actors actively monitor and exploit this plugin's authorization flaws shortly after public disclosure.
The plugin was also referenced in the CISA Vulnerability Summary for the week of January 5, 2026 (bulletin SB26-012), reflecting federal level attention to its earlier vulnerabilities.
An important trend in the vulnerability history: CVE-2025-13342 and CVE-2025-14736 both required zero authentication (PR:N, CVSS 9.8), while CVE-2026-7802 requires subscriber level access (PR:L, CVSS 8.8). This suggests the vendor has partially improved authentication checks but continues to fail on authorization enforcement after authentication, reinforcing the conclusion that the plugin's access control model is fundamentally incomplete.
For organizations evaluating continued use of this plugin, the pattern of three high or critical severity authorization bypasses in six months warrants serious consideration of alternative frontend form solutions that implement capability checks as a foundational design principle.
References
- NVD: CVE-2026-7802
- Wordfence Advisory: Frontend Admin by DynamiApps <= 3.29.2 Missing Authorization
- WordPress Plugin Page: Frontend Admin by DynamiApps
- WordPress Trac: actions/user.php L565 (tag 3.29.1)
- WordPress Trac: actions/user.php L636 (tag 3.29.1)
- WordPress Trac: classes/submit.php L110 (tag 3.29.1)
- WordPress Trac: classes/submit.php L392 (tag 3.29.1)
- WordPress Trac: Changeset 3525193
- Patchstack: Frontend Admin Vulnerability History
- Wordfence Advisory: CVE-2025-13342 (Unauthenticated Arbitrary Options Update)
- WP Firewall Advisory: CVE-2025-14736 (Privilege Escalation)
- SentinelOne: CVE-2026-3328 (PHP Object Injection)
- FreshySites: CVE-2026-6228 Security Bulletin
- CWE-862: Missing Authorization
- DynamiApps Official Website
- CISA Vulnerability Summary: Week of January 5, 2026 (SB26-012)



