Unauthorized Data Modification in Frontend Admin Plugin by DynamiApps for WordPress
CVE-2025-14741

9.1CRITICAL

Key Information:

Vendor

WordPress
Status
Frontend Admin By Dynamiapps
Vendor
CVE Published:
9 January 2026

What is CVE-2025-14741?

The Frontend Admin plugin by DynamiApps for WordPress has a significant vulnerability that allows unauthenticated attackers to modify and delete data without proper authorization checks. Specifically, a missing capability validation associated with the 'delete_object' function can be exploited. This oversight affects all versions up to and including 3.28.25, enabling potential breaches where attackers can delete posts, pages, products, taxonomy terms, and even user accounts, making it imperative for website administrators to address this vulnerability promptly.

Affected Version(s)

Frontend Admin by DynamiApps * <= 3.28.25

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/acf-frontend-f...

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

andrea bocchetti
JSON
.
CVE-2025-14741 : Unauthorized Data Modification in Frontend Admin Plugin by DynamiApps for WordPress