Frontend Admin by DynamiApps Plugin for WordPress <= 3.29.2 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/frontend-admin-by-dynamiapps-plugin-for-wordpress--3.29.2/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 28 May 2026 09:19:15 +0000CVE-2026-6226 - Frontend Admin WordPress Plugin Unauthenticated Privilege Escalationhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-6226-wordpress-privesc/Thu, 28 May 2026 09:19:15 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-6226-wordpress-privesc/The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2, allowing attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.The Frontend Admin by DynamiApps plugin for WordPress, in versions up to and including 3.29.2, is vulnerable to an unauthenticated privilege escalation vulnerability, tracked as CVE-2026-6226. This vulnerability stems from insecure handling of form submissions. Instead of securely loading form definitions from the backend, the plugin accepts arbitrary form definitions directly from user input. Specifically, when the $_POST['_acf_form'] parameter is an array (rather than a form ID), the validate_form() function bypasses the intended database lookup and processes the attacker-controlled structure directly. This allows attackers to manipulate form configurations to create administrator accounts.

Attack Chain

  1. An unauthenticated attacker sends a crafted HTTP POST request to a WordPress endpoint that utilizes the vulnerable Frontend Admin plugin.
  2. The POST request includes a specially crafted _acf_form parameter as an array, bypassing the plugin’s intended form validation logic.
  3. The validate_form() function processes the attacker-controlled _acf_form array directly, skipping the database lookup for legitimate form definitions.
  4. The create_record() function preserves any attacker-supplied record data present in the request.
  5. During user action execution, the run() function falls back to attacker-controlled field definitions within the $form['fields'] array if legitimate fields are not found.
  6. The attacker-controlled field definitions contain a manipulated ‘role’ field that specifies ‘administrator’ as an allowed role option.
  7. The pre_update_value() validation function reads $field['role_options'] from the attacker-controlled field definition, bypassing security checks that would normally prevent unauthorized role assignment.
  8. A new administrator account is created on the WordPress instance using the attacker-supplied credentials and the spoofed role field.

Impact

Successful exploitation of CVE-2026-6226 allows unauthenticated attackers to create administrator accounts on vulnerable WordPress sites. This grants them complete control over the affected website, potentially leading to data theft, defacement, malware distribution, or further exploitation of the underlying server. Given the widespread use of WordPress and the Frontend Admin plugin, a large number of websites are potentially at risk if they are not patched to a version greater than 3.29.2.

Recommendation

  • Upgrade the Frontend Admin by DynamiApps plugin for WordPress to the latest version (greater than 3.29.2) to patch CVE-2026-6226.
  • Deploy the Sigma rule “Detect CVE-2026-6226 Exploitation Attempt — WordPress Frontend Admin Plugin Privilege Escalation” to your SIEM to detect exploitation attempts based on suspicious POST requests.
  • Monitor web server logs for POST requests containing _acf_form parameters with array values to identify potential exploitation attempts.
]]>criticaladvisorycvewordpressprivilege-escalationunauthenticated