Unauthenticated Privilege Escalation in Frontend Admin by DynamiApps for WordPress
CVE-2026-6226

8.8HIGH

Key Information:

Vendor: WordPress
Status: Frontend Admin By Dynamiapps
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-6226?

The Frontend Admin plugin developed by DynamiApps for WordPress contains serious security flaws that allow unauthenticated attackers to escalate privileges. The vulnerability arises from improper handling of form submissions, permitting attackers to inject arbitrary form definitions. The validate_form() function neglects traditional database lookup methods and processes attacker-controlled structures directly, enabling malicious users to craft custom forms. Specifically, the attacker can manipulate role definitions within the form data to gain unauthorized administrator access. This vulnerability is present in all versions up to and including 3.29.2, representing a significant risk for WordPress sites utilizing this plugin.

Affected Version(s)

Frontend Admin by DynamiApps 0 <= 3.29.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/acf-frontend-f...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

daroo

CVE-2026-6226 Data

JSON