PatchSiren cyber security CVE debrief
CVE-2026-10039 shabti CVE debrief
A SQL injection vulnerability in the Frontend Admin by DynamiApps WordPress plugin allows authenticated administrators to extract sensitive database information. The flaw exists in the payment list administration page where the 'order' parameter is concatenated into SQL queries without adequate escaping or prepared statement usage. Exploitation requires both 'order' and 'orderby' parameters to reach the vulnerable code path. The issue affects all versions up to and including 3.28.28; version 3.29.3 contains patched code per repository tags. The CVSS 3.1 score of 4.9 (Medium) reflects the high privilege requirement (PR:H) that limits the attack surface to administrator-level accounts. No known exploitation in ransomware campaigns has been documented.
- Vendor
- shabti
- Product
- Frontend Admin by DynamiApps
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
WordPress site administrators using the Frontend Admin by DynamiApps plugin; security teams managing WordPress installations with administrator-level access controls; database administrators responsible for monitoring unauthorized query execution
Technical summary
The Frontend Admin by DynamiApps plugin (also referenced as acf-frontend-form-element) contains a SQL injection vulnerability in the payment list administration interface. The 'order' parameter in main/admin/admin-pages/payments/list.php is incorporated into SQL queries without sufficient escaping or query preparation. Both 'order' and 'orderby' parameters must be present to reach the vulnerable execution path. The issue is classified as CWE-89 and was remediated in changeset 3472098, with patched code present in tag 3.29.3. Attackers with administrator-level authentication can leverage this to append arbitrary SQL and extract sensitive database information.
Defensive priority
medium
Recommended defensive actions
- Upgrade the Frontend Admin by DynamiApps plugin to version 3.29.3 or later
- Review administrator account access controls and audit for unauthorized privilege usage
- Implement Web Application Firewall rules to detect and block SQL injection patterns in 'order' and 'orderby' parameters
- Review database query construction in custom admin list implementations for proper parameterization
- Monitor database query logs for anomalous SELECT statements or unauthorized information extraction attempts
Evidence notes
The vulnerability was reported by Wordfence and is tracked in the NVD with status 'Deferred'. Source references indicate the affected file is main/admin/admin-pages/payments/list.php at lines 45-46. Changeset 3472098 in the WordPress plugin repository shows remediation activity. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N confirms network attack vector with high privileges required, confidentiality impact only. CWE-89 (SQL Injection) is the primary weakness classification.
Official resources
2026-05-29