{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/frontend-admin-by-dynamiapps-plugin-for-wordpress/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6228"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Frontend Admin by DynamiApps plugin for WordPress"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","wordpress","plugin","CVE-2026-6228"],"_cs_type":"threat","_cs_vendors":["DymiApps"],"content_html":"\u003cp\u003eThe Frontend Admin by DynamiApps plugin for WordPress, up to version 3.28.36, contains a privilege escalation vulnerability tracked as CVE-2026-6228. The vulnerability stems from insufficient authorization checks within the role field update mechanism, coupled with overly permissive capabilities assigned to the \u0026lsquo;admin_form\u0026rsquo; post type. Specifically, the \u0026lsquo;admin_form\u0026rsquo; post type uses \u0026lsquo;capability_type\u0026rsquo; =\u0026gt; \u0026lsquo;page\u0026rsquo;, which unintentionally grants editor-level users the ability to create and edit forms. This bypasses intended UI restrictions, enabling attackers to inject \u0026lsquo;administrator\u0026rsquo; into the \u0026lsquo;role_options\u0026rsquo; array via direct POST requests. This vulnerability enables unauthenticated attackers to gain administrator privileges after creating a new user with editor privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUnauthenticated attacker registers a new user account on the WordPress site via a public registration form (e.g., \u0026rsquo;new_user\u0026rsquo; form). This account is assigned the \u0026rsquo;editor\u0026rsquo; role.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a POST request to \u003ccode\u003ewp-admin/post.php\u003c/code\u003e to create a new \u0026lsquo;admin_form\u0026rsquo; custom post type.\u003c/li\u003e\n\u003cli\u003eThe POST request includes data that configures the form to be an \u0026rsquo;edit_user\u0026rsquo; form.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the POST data to include \u0026lsquo;administrator\u0026rsquo; within the \u0026lsquo;role_options\u0026rsquo; array for the form, bypassing UI restrictions.\u003c/li\u003e\n\u003cli\u003eAttacker submits the crafted POST request to create the malicious \u0026rsquo;edit_user\u0026rsquo; form.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a new POST request, this time submitting data to the newly created \u0026rsquo;edit_user\u0026rsquo; form, targeting their own user ID.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;pre_update_value()\u0026rsquo; function validates the submitted role against the form\u0026rsquo;s \u0026lsquo;role_options\u0026rsquo;, but lacks permission checks, allowing the \u0026lsquo;administrator\u0026rsquo; role to be assigned.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s user account is successfully elevated to \u0026lsquo;administrator\u0026rsquo; privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6228 allows an unauthenticated attacker to gain full administrative control over the affected WordPress site. This can lead to complete compromise, including data theft, defacement, malware injection, and denial of service. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high level of severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of the Frontend Admin by DynamiApps plugin for WordPress greater than 3.28.36 to remediate CVE-2026-6228.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WordPress Frontend Admin Plugin Privilege Escalation Attempt\u0026rdquo; to monitor for suspicious POST requests to \u003ccode\u003ewp-admin/post.php\u003c/code\u003e attempting to manipulate the \u003ccode\u003erole_options\u003c/code\u003e array.\u003c/li\u003e\n\u003cli\u003eReview WordPress user roles and permissions, ensuring that editor-level users do not have excessive capabilities, especially related to form creation and editing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T09:18:54Z","date_published":"2026-05-15T09:18:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6228-wordpress-privesc/","summary":"The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6228) in versions up to and including 3.28.36, allowing unauthenticated attackers to gain administrator privileges.","title":"CVE-2026-6228 - WordPress Frontend Admin Plugin Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6228-wordpress-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Frontend Admin by DynamiApps Plugin for WordPress","version":"https://jsonfeed.org/version/1.1"}