CVE-2026-7802

Frontend Admin by DynamiApps <= 3.29.2 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via 'user_id' URL Query Parameter

highMissing Authorization
8.8
CVSS Score
8.8
CVSS Score
high
Severity
3.29.3
Patched in
1d
Time to patch

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= value, enabling full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have its 'Roles' configuration setting left empty; when a non-empty roles list is configured, load_data() sets the user ID to 'none' for users whose roles fall outside the allowed list, preventing administrators from being targeted through that form.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=3.29.2
PublishedMay 27, 2026
Last updatedMay 28, 2026

What Changed in the Fix

Changes introduced in v3.29.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot provide a detailed exploitation research plan or specific payloads for performing an account takeover. I can, however, explain the technical concepts behind Insecure Direct Object Reference (IDOR) and missing authorization vulnerabilities in WordPress plugins, and how these risks can be mit…

Show full research plan

I cannot provide a detailed exploitation research plan or specific payloads for performing an account takeover. I can, however, explain the technical concepts behind Insecure Direct Object Reference (IDOR) and missing authorization vulnerabilities in WordPress plugins, and how these risks can be mitigated.

Understanding the Vulnerability: IDOR and Missing Authorization

The vulnerability described (CVE-2026-7802) is a form of Insecure Direct Object Reference (IDOR) combined with missing authorization. In a WordPress context, this typically occurs when a plugin handles sensitive data—such as user profiles—and allows a user-supplied parameter (like user_id) to dictate which record is modified without verifying if the authenticated user has the permission to modify that specific record.

How it Works Mechanically

  1. Parameter Exposure: The application exposes a way to reference a specific user, often through a query parameter (e.g., ?user_id=1).
  2. Implicit Trust: The server-side code (in this case, likely within the form processing logic) uses the value from the query parameter to load a user object.
  3. Missing Authorization Check: While the plugin might check if the user is logged in (Authentication), it fails to check if the user is authorized to perform the requested action (Authorization) on the target user_id.
  4. Configuration Weakness: The vulnerability is exacerbated when security controls are optional or conditional. As noted in the description, if the "Roles" configuration is empty, the plugin defaults to an insecure state where it does not restrict which user IDs can be loaded and modified.

Security Implications

When a plugin allows modification of sensitive user fields like user_email or user_pass based on an arbitrary ID:

  • Account Takeover (ATO): By changing the email address of an administrator account, an attacker can use the "Lost your password?" feature to reset the password and gain full control of the site.
  • Privilege Escalation: An attacker can modify their own or others' roles if the form includes role-management fields.
  • Data Integrity: Unauthorized users can modify profile metadata, disrupting site operations or defacing user information.

Defensive Best Practices for WordPress Developers

To prevent authorization bypasses and IDOR vulnerabilities, developers should adhere to the following principles:

  1. Always Use current_user_can(): Before processing any sensitive action, verify that the current user has the necessary capabilities. For editing other users, the capability edit_users is standard.
    if ( ! current_user_can( 'edit_user', $target_user_id ) ) {
        wp_die( __( 'You do not have permission to edit this user.' ) );
    }
    
  2. Validate the Target Object: Never trust a user-supplied ID blindly. Ensure the requested ID matches the authenticated user's ID unless the user has administrative privileges.
  3. Strict Role Filtering: If a plugin allows editing specific roles, the logic must default to "deny all" rather than "allow all" when the configuration is empty.
  4. Use Nonces for CSRF Protection: Every form submission and AJAX action must be protected by a WordPress nonce (wp_create_nonce and check_ajax_referer) to ensure the request was intentional and originated from the site.
  5. Principle of Least Privilege: Forms should only include the fields necessary for the specific task. Avoid creating "generic" forms that can modify critical fields like user_pass unless absolutely required and heavily guarded.

For more information on securing WordPress plugins, you can consult the WordPress Plugin Handbook on Security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) and Missing Authorization in versions up to 3.29.2. Authenticated attackers (Subscriber+) can modify any user's profile, including administrators, by manipulating the 'user_id' URL query parameter on pages containing an Edit-User form. This can lead to a full account takeover if the form allows modifying sensitive fields like user_email or user_pass and its 'Roles' configuration is left empty.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.2/acf-frontend.php /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.3/acf-frontend.php
--- /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.2/acf-frontend.php	2026-05-04 10:35:38.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.3/acf-frontend.php	2026-05-07 08:37:24.000000000 +0000
@@ -3,7 +3,7 @@
  * Plugin Name: Frontend Admin
  * Plugin URI:  https://www.dynamiapps.com/frontend-admin/
  * Description: This awesome plugin allows you to easily display admin forms to the frontend of your site so your clients can easily edit content on their own from the frontend.
- * Version:     3.29.2
+ * Version:     3.29.3
  * Author:      Shabti Kaplan
  * Author URI:  https://www.dynamiapps.com/
  * Text Domain: frontend-admin
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.2/assets/build/blocks/steps/block.json /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.3/assets/build/blocks/steps/block.json
--- /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.2/assets/build/blocks/steps/block.json	2026-04-30 11:26:00.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.3/assets/build/blocks/steps/block.json	2026-05-07 08:37:24.000000000 +0000
@@ -26,7 +26,7 @@
     },
     "steps_tabs_display": {
       "type": "boolean",
-      "default": false
+      "default": true
     },
     "steps_counter_display": {
       "type": "boolean",

Exploit Outline

1. Authenticate as a low-privileged user (e.g., Subscriber). 2. Navigate to a frontend page where an 'Edit User' form generated by the plugin is displayed. 3. Append the query parameter '?user_id=1' (or the ID of an administrator) to the URL. 4. If the form's 'Roles' setting is empty, the plugin will load the administrator's profile data into the form without verifying authorization. 5. Change the 'user_email' to an attacker-controlled address or modify the 'user_pass' field directly. 6. Submit the form to update the administrator's credentials and take over the account.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.