Platform
wordpress
Component
acf-frontend-form-element
Fixed in
3.28.30
CVE-2025-14736 is a critical Privilege Escalation vulnerability affecting the Frontend Admin plugin by DynamiApps for WordPress. This flaw allows unauthenticated attackers to escalate their privileges to administrator level, granting them complete control over the WordPress site. The vulnerability impacts versions 0.0.0 through 3.28.29, and a fix is available in version 3.28.30.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-14736 can gain full administrative access to the WordPress site without requiring any prior authentication. This allows them to modify any content, install malicious plugins or themes, create or delete users, and potentially compromise the entire system. The attacker could exfiltrate sensitive data, deface the website, or use it as a launchpad for further attacks against other systems on the network. The ease of exploitation, requiring only access to a user registration form with a Role field, significantly increases the risk.
CVE-2025-14736 was publicly disclosed on 2026-01-09. The vulnerability's simplicity suggests a potential for widespread exploitation. No public proof-of-concept (POC) code has been identified at the time of writing, but the ease of exploitation makes it likely that such code will emerge. The CVSS score of 9.8 indicates a critical severity, warranting immediate attention. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14736 is to immediately upgrade the Frontend Admin plugin to version 3.28.30 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the user registration form or removing the 'Role' field if it's not essential. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious role manipulation attempts can provide an additional layer of defense. Monitor WordPress logs for unusual user registration activity, particularly attempts to set the role to 'administrator'.
Update to version 3.28.30, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14736 is a critical vulnerability in the Frontend Admin WordPress plugin allowing unauthenticated attackers to gain administrator privileges.
If you are using Frontend Admin plugin versions 0.0.0 through 3.28.29, you are vulnerable to this privilege escalation attack.
Upgrade the Frontend Admin plugin to version 3.28.30 or later to resolve this vulnerability. Consider temporary mitigations if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's simplicity makes it a likely target for attackers.
Refer to the DynamiApps website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-14736.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.