PatchSiren cyber security CVE debrief
CVE-2026-7802 shabti CVE debrief
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. The plugin fails to properly verify that a user is authorized to perform actions on target accounts. Authenticated attackers with subscriber-level access and above can overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary user_id parameter. This enables full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have its 'Roles' configuration setting left empty; when a non-empty roles list is configured, the load_data() function sets the user ID to 'none' for users whose roles fall outside the allowed list, preventing administrators from being targeted through that form.
- Vendor
- shabti
- Product
- Frontend Admin by DynamiApps
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
WordPress site administrators using the Frontend Admin by DynamiApps plugin; security teams monitoring for privilege escalation vulnerabilities; managed service providers hosting WordPress environments with subscriber or customer user roles
Technical summary
The vulnerability exists in the plugin's user action handling code. When processing form submissions, the plugin accepts a user_id parameter without verifying that the requesting user has authorization to modify the specified target account. The load_data() function only restricts access when a non-empty roles list is configured on the Edit-User form; with an empty roles configuration, no authorization check prevents modification of arbitrary user accounts including administrators. Attackers can overwrite sensitive fields including user_pass (password hash), user_email, first_name, and last_name. Successful exploitation grants full administrative control through either direct password replacement or password reset via the compromised email address.
Defensive priority
critical
Recommended defensive actions
- Upgrade Frontend Admin by DynamiApps to a version newer than 3.29.2 immediately
- Audit all Edit-User forms to ensure 'Roles' configuration is not left empty unless explicitly required
- Review administrator account logs for unauthorized password or email changes between 2026-05-28 and patch deployment
- Implement additional authorization checks at the web application firewall level for user profile modification requests
- Consider disabling the plugin until a patched version can be deployed if immediate upgrade is not feasible
Evidence notes
Vulnerability disclosed by Wordfence. Source code references indicate the issue affects multiple versions including 3.28.36 and 3.29.1. A changeset reference suggests a patch may be available. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H with a score of 8.8 (HIGH). CWE-862 (Missing Authorization) is the primary weakness classification.
Official resources
2026-05-28