PatchSiren

shabti CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM shabti CVE published 2026-05-29

CVE-2026-10039

A SQL injection vulnerability in the Frontend Admin by DynamiApps WordPress plugin allows authenticated administrators to extract sensitive database information. The flaw exists in the payment list administration page where the 'order' parameter is concatenated into SQL queries without adequate escaping or prepared statement usage. Exploitation requires both 'order' and 'orderby' parameters to reach the v [truncated]

HIGH shabti CVE published 2026-05-28

CVE-2026-6226

A critical privilege escalation vulnerability in the Frontend Admin by DynamiApps WordPress plugin allows unauthenticated attackers to create administrator accounts. The flaw stems from insecure form submission handling that accepts arbitrary form definitions from user input rather than securely loading validated configurations from the backend. When the `_acf_form` POST parameter is submitted as an array [truncated]

HIGH shabti CVE published 2026-05-28

CVE-2026-7802

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. The plugin fails to properly verify that a user is authorized to perform actions on target accounts. Authenticated attackers with subscriber-level access and above can overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by [truncated]