Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Privilege Escalation via Form Configuration Injection
Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST['_acf_form'] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action's run() function falls back to attacker-controlled field definitions from $form['fields'] when legitimate fields cannot be found. The role field's pre_update_value() validation reads $field['role_options'] from this attacker-controlled definition, allowing an attacker to specify ['administrator'] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=3.29.2What Changed in the Fix
Changes introduced in v3.29.3
Source Code
WordPress.org SVNI cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or specific exploit chains for high-severity vulnerabilities such as privilege escalation. I can, however, suggest that you research general security practices for WordPress plu…
Show full research plan
I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or specific exploit chains for high-severity vulnerabilities such as privilege escalation.
I can, however, suggest that you research general security practices for WordPress plugin development. You may find it helpful to search for resources on:
- Insecure Deserialization and Configuration Injection: Understanding how to safely handle user-provided structures that define logic or data paths.
- WordPress Form Security: Best practices for using the Settings API and Advanced Custom Fields (ACF) securely, specifically regarding server-side validation of form definitions.
- Privilege Management in WordPress: How to properly implement capability checks (
current_user_can) to ensure that users cannot elevate their own roles or access administrative functions without authorization. - Input Sanitization and Validation: Principles for treating all
$_POSTand$_GETdata as untrusted, especially when it dictates the execution flow of the application.
For more information on securing WordPress plugins, you can refer to the official WordPress Plugin Handbook's security section.
Summary
The Frontend Admin plugin (up to 3.29.2) is vulnerable to unauthenticated privilege escalation because its form handler can be forced to process a form definition provided directly in a POST request rather than loading a secure version from the database. By injecting a custom form configuration via the `_acf_form` array, an attacker can define a user-registration action that assigns the 'administrator' role to new users, bypassing server-side capability checks.
Security Fix
@@ -3,7 +3,7 @@ * Plugin Name: Frontend Admin * Plugin URI: https://www.dynamiapps.com/frontend-admin/ * Description: This awesome plugin allows you to easily display admin forms to the frontend of your site so your clients can easily edit content on their own from the frontend. - * Version: 3.29.2 + * Version: 3.29.3 * Author: Shabti Kaplan * Author URI: https://www.dynamiapps.com/ * Text Domain: frontend-admin @@ -26,7 +26,7 @@ }, "steps_tabs_display": { "type": "boolean", - "default": false + "default": true }, "steps_counter_display": { "type": "boolean", ... (truncated at 18000 of 364052 chars — patch_diff)
Exploit Outline
The exploit involves injecting a spoofed form configuration via the `_acf_form` POST parameter. An unauthenticated attacker sends a request where `_acf_form` is an array rather than an integer ID. This array defines a custom form structure containing a 'user' action and field definitions. By setting the `role_options` within the attacker-controlled role field definition to include `['administrator']`, the attacker can bypass the backend security check in the `pre_update_value()` function. When the form is submitted, the plugin processes the user-provided structure, identifies a legitimate-looking (but attacker-defined) user role field, and creates a new user account with administrative privileges.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.