Privilege Escalation Vulnerability in Frontend Admin Plugin for WordPress by DynamiApps
CVE-2026-6228

8.8HIGH

Key Information:

Vendor: WordPress
Status: Frontend Admin By Dynamiapps
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-6228?

The Frontend Admin plugin by DynamiApps for WordPress has a vulnerability that allows unauthorized users to escalate their privileges due to inadequate authorization checks within the role update mechanism. Specifically, the plugin's configuration permits editors to manipulate roles, enabling them to elevate their access to administrator level. When editors utilize the 'edit_user' functionality to create forms, they can include 'administrator' in the role options via direct POST requests, bypassing existing user interface restrictions. Consequently, this flaw allows potential attackers to register as editors and exploit the vulnerability to gain elevated permissions.

Affected Version(s)

Frontend Admin by DynamiApps 0 <= 3.28.36

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/acf-frontend-f...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

Colin Xu

CVE-2026-6228 Data

JSON