Shabti Frontend Admin By Dynamiapps vulnerabilities
14 known vulnerabilities affecting shabti/frontend_admin_by_dynamiapps.
Total CVEs
14
CISA KEV
0
Public exploits
1
Exploited in wild
2
Severity breakdown
CRITICAL4HIGH6MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2025-13342P1CRITICALCVSS 9.8ExploitedPoC≤ 3.28.202025-12-03
CVE-2025-13342 [CRITICAL] CWE-862 CVE-2025-13342: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify cri
nvd
CVE-2022-4974P2MEDIUMCVSS 6.3Exploitedfixed in 3.3.332024-10-16
CVE-2022-4974 [MEDIUM] CWE-862 CVE-2022-4974: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cr
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme runni
nvd
CVE-2025-14736P2CRITICALCVSS 9.8≤ 3.28.292026-01-09
CVE-2025-14736 [CRITICAL] CWE-269 CVE-2025-14736: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all v
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.29. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to regis
nvd
CVE-2024-3729P2CRITICALCVSS 9.8≤ 3.19.42024-05-02
CVE-2024-3729 [CRITICAL] CWE-636 CVE-2024-3729: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption e
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'fea_encrypt' function in all versions up to, and including, 3.19.4. This makes it possible for unauthenticated attackers to manipulate the user processing forms, which can be used to add and edit administrator user for privil
nvd
CVE-2026-6226P2HIGHCVSS 8.8≤ 3.29.22026-05-28
CVE-2026-6226 [HIGH] CWE-269 CVE-2026-6226: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege esc
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST['_acf_form'] is an array (rather than a
nvd
CVE-2025-14741P2CRITICALCVSS 9.1≤ 3.28.252026-01-09
CVE-2025-14741 [CRITICAL] CWE-862 CVE-2025-14741: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unau
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products,
nvd
CVE-2026-6228P2HIGHCVSS 8.8≤ 3.28.362026-05-15
CVE-2026-6228 [HIGH] CWE-269 CVE-2026-6228: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in versi
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 3.28.36. This is due to insufficient authorization checks in the role field update mechanism combined with overly permissive capabilities for the admin_form post type. The admin_form custom post type uses 'capability_type' => 'page
nvd
CVE-2026-7802P3HIGHCVSS 8.8≤ 3.29.22026-05-28
CVE-2026-7802 [HIGH] CWE-862 CVE-2026-7802: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all v
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrato
nvd
CVE-2024-11721P3HIGHCVSS 8.1≤ 3.24.52024-12-14
CVE-2024-11721 [HIGH] CWE-269 CVE-2024-11721: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation in all v
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.24.5. This is due to insufficient controls on the user role select field when utilizing the 'Role' field in a form. This makes it possible for unauthenticated attackers to create new administrative user accounts, even whe
nvd
CVE-2026-3328P3HIGHCVSS 7.2≤ 3.28.312026-03-26
CVE-2026-3328 [HIGH] CWE-502 CVE-2026-3328: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via dese
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post con
nvd
CVE-2025-14937P3HIGHCVSS 7.2≤ 3.28.232026-01-09
CVE-2025-14937 [HIGH] CWE-79 CVE-2025-14937: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitr
nvd
CVE-2024-11722P3MEDIUMCVSS 5.9≤ 3.25.12024-12-21
CVE-2024-11722 [MEDIUM] CWE-89 CVE-2024-11722: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to SQL Injection via the 'orderb
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.25.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additiona
nvd
CVE-2026-10039P4MEDIUMCVSS 4.9≤ 3.28.82026-05-29
CVE-2026-10039 [MEDIUM] CWE-89 CVE-2026-10039: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administ
nvd
CVE-2024-11720P4MEDIUMCVSS 6.1≤ 3.24.52024-12-14
CVE-2024-11720 [MEDIUM] CWE-79 CVE-2024-11720: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via submission forms in all versions up to, and including, 3.24.5 due to insufficient input sanitization and output escaping on the new Taxonomy form. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that wil
nvd