Scan free
CRITICALCVE-2025-14736CVSS 9.8

CVE-2025-14736: Privilege Escalation in Frontend Admin

Platform

wordpress

Component

acf-frontend-form-element

Fixed in

3.28.30

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-14736 is a critical Privilege Escalation vulnerability affecting the Frontend Admin plugin by DynamiApps for WordPress. This flaw allows unauthenticated attackers to escalate their privileges to administrator level, granting them complete control over the WordPress site. The vulnerability impacts versions 0.0.0 through 3.28.29, and a fix is available in version 3.28.30.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The impact of this vulnerability is severe. An attacker exploiting CVE-2025-14736 can gain full administrative access to the WordPress site without requiring any prior authentication. This allows them to modify any content, install malicious plugins or themes, create or delete users, and potentially compromise the entire system. The attacker could exfiltrate sensitive data, deface the website, or use it as a launchpad for further attacks against other systems on the network. The ease of exploitation, requiring only access to a user registration form with a Role field, significantly increases the risk.

Exploitation Context

CVE-2025-14736 was publicly disclosed on 2026-01-09. The vulnerability's simplicity suggests a potential for widespread exploitation. No public proof-of-concept (POC) code has been identified at the time of writing, but the ease of exploitation makes it likely that such code will emerge. The CVSS score of 9.8 indicates a critical severity, warranting immediate attention. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.03% (10% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentacf-frontend-form-element
Vendorwordfence
Affected rangeFixed in
0.0.0 – 3.28.293.28.30

Package Information

Active installs
10KKnown
Plugin rating
4.5
Requires WordPress
4.6+
Compatible up to
6.8.5
Requires PHP
5.6.0+
Homepage

Weakness Classification (CWE)

CWE-269

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-14736 is to immediately upgrade the Frontend Admin plugin to version 3.28.30 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the user registration form or removing the 'Role' field if it's not essential. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious role manipulation attempts can provide an additional layer of defense. Monitor WordPress logs for unusual user registration activity, particularly attempts to set the role to 'administrator'.

How to fix

Update to version 3.28.30, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-14736 — Privilege Escalation in Frontend Admin?

CVE-2025-14736 is a critical vulnerability in the Frontend Admin WordPress plugin allowing unauthenticated attackers to gain administrator privileges.

Am I affected by CVE-2025-14736 in Frontend Admin?

If you are using Frontend Admin plugin versions 0.0.0 through 3.28.29, you are vulnerable to this privilege escalation attack.

How do I fix CVE-2025-14736 in Frontend Admin?

Upgrade the Frontend Admin plugin to version 3.28.30 or later to resolve this vulnerability. Consider temporary mitigations if immediate upgrade is not possible.

Is CVE-2025-14736 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's simplicity makes it a likely target for attackers.

Where can I find the official DynamiApps advisory for CVE-2025-14736?

Refer to the DynamiApps website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-14736.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs