Stored Cross-Site Scripting Vulnerability in Frontend Admin Plugin by DynamiApps
CVE-2025-14937

7.2HIGH

Key Information:

Vendor

WordPress
Status
Frontend Admin By Dynamiapps
Vendor
CVE Published:
9 January 2026

What is CVE-2025-14937?

The Frontend Admin plugin developed by DynamiApps for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability due to inadequate input validation and output escaping mechanisms. This flaw exists in the 'acff' parameter during the 'frontend_admin/forms/update_field' AJAX action in all versions up to 3.28.23. As a result, unauthenticated attackers can exploit this vulnerability to inject malicious web scripts into pages, which can be executed whenever a user visits the compromised page. It is crucial for website administrators to apply necessary security measures to mitigate this risk.

Affected Version(s)

Frontend Admin by DynamiApps * <= 3.28.23

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3427236/acf-...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Paolo Tresso
JSON
.
CVE-2025-14937 : Stored Cross-Site Scripting Vulnerability in Frontend Admin Plugin by DynamiApps