Frontend Admin by DynamiApps <= 3.28.29 - Unauthenticated Privilege Escalation to Administrator via Role Form Field
Plattform
wordpress
Komponente
acf-frontend-form-element
Behoben in
3.28.30
CVE-2025-14736 is a critical Privilege Escalation vulnerability affecting the Frontend Admin plugin by DynamiApps for WordPress. This flaw allows unauthenticated attackers to escalate their privileges to administrator level, granting them complete control over the WordPress site. The vulnerability impacts versions 0.0.0 through 3.28.29, and a fix is available in version 3.28.30.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Auswirkungen und Angriffsszenarien
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-14736 can gain full administrative access to the WordPress site without needing any prior credentials. This grants them the ability to modify any content, install malicious plugins, create new user accounts with elevated privileges, and ultimately compromise the entire system. The blast radius extends to all data and functionality hosted on the WordPress site, including sensitive user information, financial data, and critical business processes. This vulnerability shares similarities with other privilege escalation flaws where insufficient input validation leads to unauthorized access.
Ausnutzungskontext
CVE-2025-14736 was published on 2026-01-09. As of this date, there is no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the vulnerability's critical severity and potential for significant impact.
Wer Ist Gefährdetwird übersetzt…
WordPress sites utilizing the Frontend Admin plugin, particularly those with publicly accessible user registration forms and legacy configurations, are at significant risk. Shared hosting environments where multiple WordPress installations share resources are also vulnerable, as a compromise of one site could potentially impact others.
Erkennungsschrittewird übersetzt…
• wordpress: Use wp-cli to check the installed plugin version:
wp plugin list | grep Frontend Admin• wordpress: Examine the wp-config.php file for any unusual configurations related to user roles or registration.
• wordpress: Review WordPress access logs for suspicious user registration attempts with the role set to 'administrator'.
• generic web: Monitor access logs for requests to the user registration endpoint with manipulated Role parameters.
Angriffszeitlinie
- Disclosure
disclosure
Bedrohungsanalyse
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.
Betroffene Software
Paketinformationen
- Aktive Installationen
- 10KBekannt
- Plugin-Bewertung
- 4.5
- Erfordert WordPress
- 4.6+
- Kompatibel bis
- 6.8.5
- Erfordert PHP
- 5.6.0+
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workarounds
The primary mitigation for CVE-2025-14736 is to immediately upgrade the Frontend Admin plugin to version 3.28.30 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user registration to trusted sources only. Implement stricter input validation on the user registration form, specifically targeting the 'Role' field, to prevent attackers from injecting malicious values. While a WAF might offer some protection, it is not a substitute for patching the vulnerable plugin.
So beheben
Aktualisieren Sie auf Version 3.28.30 oder eine neuere gepatchte Version
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2025-14736 — Privilege Escalation in Frontend Admin?
CVE-2025-14736 is a critical vulnerability in the Frontend Admin WordPress plugin allowing unauthenticated attackers to gain administrator privileges.
Am I affected by CVE-2025-14736 in Frontend Admin?
If you are using Frontend Admin plugin versions 0.0.0 through 3.28.29, you are vulnerable to this privilege escalation attack.
How do I fix CVE-2025-14736 in Frontend Admin?
Upgrade the Frontend Admin plugin to version 3.28.30 or later to resolve this vulnerability. Consider temporary mitigations if immediate upgrade is not possible.
Is CVE-2025-14736 being actively exploited?
While no active exploitation has been confirmed, the vulnerability's simplicity makes it a likely target for attackers.
Where can I find the official DynamiApps advisory for CVE-2025-14736?
Refer to the DynamiApps website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-14736.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.