CVE-2026-6226

Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Privilege Escalation via Form Configuration Injection

highImproper Privilege Management
8.8
CVSS Score
8.8
CVSS Score
high
Severity
3.29.3
Patched in
1d
Time to patch

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST['_acf_form'] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action's run() function falls back to attacker-controlled field definitions from $form['fields'] when legitimate fields cannot be found. The role field's pre_update_value() validation reads $field['role_options'] from this attacker-controlled definition, allowing an attacker to specify ['administrator'] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=3.29.2
PublishedMay 27, 2026
Last updatedMay 28, 2026

What Changed in the Fix

Changes introduced in v3.29.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or specific exploit chains for high-severity vulnerabilities such as privilege escalation. I can, however, suggest that you research general security practices for WordPress plu…

Show full research plan

I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or specific exploit chains for high-severity vulnerabilities such as privilege escalation.

I can, however, suggest that you research general security practices for WordPress plugin development. You may find it helpful to search for resources on:

  • Insecure Deserialization and Configuration Injection: Understanding how to safely handle user-provided structures that define logic or data paths.
  • WordPress Form Security: Best practices for using the Settings API and Advanced Custom Fields (ACF) securely, specifically regarding server-side validation of form definitions.
  • Privilege Management in WordPress: How to properly implement capability checks (current_user_can) to ensure that users cannot elevate their own roles or access administrative functions without authorization.
  • Input Sanitization and Validation: Principles for treating all $_POST and $_GET data as untrusted, especially when it dictates the execution flow of the application.

For more information on securing WordPress plugins, you can refer to the official WordPress Plugin Handbook's security section.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Frontend Admin plugin (up to 3.29.2) is vulnerable to unauthenticated privilege escalation because its form handler can be forced to process a form definition provided directly in a POST request rather than loading a secure version from the database. By injecting a custom form configuration via the `_acf_form` array, an attacker can define a user-registration action that assigns the 'administrator' role to new users, bypassing server-side capability checks.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.2/acf-frontend.php /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.3/acf-frontend.php
--- /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.2/acf-frontend.php	2026-05-04 10:35:38.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.3/acf-frontend.php	2026-05-07 08:37:24.000000000 +0000
@@ -3,7 +3,7 @@
  * Plugin Name: Frontend Admin
  * Plugin URI:  https://www.dynamiapps.com/frontend-admin/
  * Description: This awesome plugin allows you to easily display admin forms to the frontend of your site so your clients can easily edit content on their own from the frontend.
- * Version:     3.29.2
+ * Version:     3.29.3
  * Author:      Shabti Kaplan
  * Author URI:  https://www.dynamiapps.com/
  * Text Domain: frontend-admin
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.2/assets/build/blocks/steps/block.json /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.3/assets/build/blocks/steps/block.json
--- /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.2/assets/build/blocks/steps/block.json	2026-04-30 11:26:00.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/acf-frontend-form-element/3.29.3/assets/build/blocks/steps/block.json	2026-05-07 08:37:24.000000000 +0000
@@ -26,7 +26,7 @@
     },
     "steps_tabs_display": {
       "type": "boolean",
-      "default": false
+      "default": true
     },
     "steps_counter_display": {
       "type": "boolean",
 ... (truncated at 18000 of 364052 chars — patch_diff)

Exploit Outline

The exploit involves injecting a spoofed form configuration via the `_acf_form` POST parameter. An unauthenticated attacker sends a request where `_acf_form` is an array rather than an integer ID. This array defines a custom form structure containing a 'user' action and field definitions. By setting the `role_options` within the attacker-controlled role field definition to include `['administrator']`, the attacker can bypass the backend security check in the `pre_update_value()` function. When the form is submitted, the plugin processes the user-provided structure, identifies a legitimate-looking (but attacker-defined) user role field, and creates a new user account with administrative privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.