Plattform
wordpress
Komponente
acf-frontend-form-element
Behoben in
3.28.30
CVE-2025-14736 is a critical Privilege Escalation vulnerability affecting the Frontend Admin plugin by DynamiApps for WordPress. This flaw allows unauthenticated attackers to escalate their privileges to administrator level, granting them complete control over the WordPress site. The vulnerability impacts versions 0.0.0 through 3.28.29, and a fix is available in version 3.28.30.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-14736 can gain full administrative access to the WordPress site without needing any prior credentials. This grants them the ability to modify any content, install malicious plugins, create new user accounts with elevated privileges, and ultimately compromise the entire system. The blast radius extends to all data and functionality hosted on the WordPress site, including sensitive user information, financial data, and critical business processes. This vulnerability shares similarities with other privilege escalation flaws where insufficient input validation leads to unauthorized access.
CVE-2025-14736 was published on 2026-01-09. As of this date, there is no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the vulnerability's critical severity and potential for significant impact.
WordPress sites utilizing the Frontend Admin plugin, particularly those with publicly accessible user registration forms and legacy configurations, are at significant risk. Shared hosting environments where multiple WordPress installations share resources are also vulnerable, as a compromise of one site could potentially impact others.
• wordpress: Use wp-cli to check the installed plugin version:
wp plugin list | grep Frontend Admin• wordpress: Examine the wp-config.php file for any unusual configurations related to user roles or registration.
• wordpress: Review WordPress access logs for suspicious user registration attempts with the role set to 'administrator'.
• generic web: Monitor access logs for requests to the user registration endpoint with manipulated Role parameters.
disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-14736 is to immediately upgrade the Frontend Admin plugin to version 3.28.30 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user registration to trusted sources only. Implement stricter input validation on the user registration form, specifically targeting the 'Role' field, to prevent attackers from injecting malicious values. While a WAF might offer some protection, it is not a substitute for patching the vulnerable plugin.
Aktualisieren Sie auf Version 3.28.30 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14736 is a critical vulnerability in the Frontend Admin WordPress plugin allowing unauthenticated attackers to gain administrator privileges.
If you are using Frontend Admin plugin versions 0.0.0 through 3.28.29, you are vulnerable to this privilege escalation attack.
Upgrade the Frontend Admin plugin to version 3.28.30 or later to resolve this vulnerability. Consider temporary mitigations if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's simplicity makes it a likely target for attackers.
Refer to the DynamiApps website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-14736.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.