PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6226 shabti CVE debrief

A critical privilege escalation vulnerability in the Frontend Admin by DynamiApps WordPress plugin allows unauthenticated attackers to create administrator accounts. The flaw stems from insecure form submission handling that accepts arbitrary form definitions from user input rather than securely loading validated configurations from the backend. When the `_acf_form` POST parameter is submitted as an array instead of a valid form ID, the plugin's validation logic bypasses database lookups and processes attacker-controlled form structures directly. The vulnerability chain involves multiple components: the `validate_form()` function accepts injected form definitions, `create_record()` preserves attacker-supplied data, and the user action's `run()` function falls back to attacker-controlled field definitions when legitimate fields are unavailable. Critically, the role field's `pre_update_value()` validation reads allowed roles from `$field['role_options']` within the attacker-controlled definition, enabling specification of `['administrator']` to bypass security checks. This represents a fundamental trust boundary violation where client-supplied data structures are used for security-critical decisions without server-side validation.

Vendor
shabti
Product
Frontend Admin by DynamiApps
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

WordPress site administrators using Frontend Admin by DynamiApps plugin; security teams managing WordPress estates; hosting providers with shared WordPress environments; incident responders investigating WordPress compromises

Technical summary

The Frontend Admin plugin (≤3.29.2) fails to validate form definitions server-side, allowing attackers to inject custom form configurations via the `_acf_form` POST parameter. When submitted as an array, the parameter bypasses database validation and enables direct processing of attacker-controlled field definitions. The role field's security check reads allowed roles from the injected definition rather than a trusted source, permitting arbitrary role assignment including administrator. This unauthenticated vector enables complete site compromise through account creation.

Defensive priority

critical

Recommended defensive actions

  • Immediately update Frontend Admin by DynamiApps plugin to version 3.29.3 or later
  • Audit WordPress user accounts for unauthorized administrator creations
  • Review web server access logs for POST requests to affected endpoints containing `_acf_form` array parameters
  • Implement Web Application Firewall rules to block submissions with array-type `_acf_form` parameters
  • Disable or remove the plugin if patching is not immediately feasible
  • Conduct forensic analysis of compromised sites for persistent backdoors or additional malicious accounts
  • Review plugin code changes in commit 3525193 to verify fix adequacy

Evidence notes

Vulnerability analysis based on Wordfence security research with code-level evidence from WordPress plugin repository. Affected versions confirmed through tags/3.28.33 and trunk source code references. CVSS 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates network exploitable, low attack complexity, low privileges required, no user interaction, and high impact across confidentiality, integrity, and availability. CWE-269 (Improper Privilege Management) classified as primary weakness.

Official resources

2026-05-28