Frontend Admin by DynamiApps <= 3.25.1 - Unauthenticated SQL Injection

Vulnerability

The Frontend Admin by DynamiApps plugin for WordPress (versions up to and including 3.25.1) is vulnerable to SQL injection via the orderby HTTP parameter in the submission listing functionality. The orderby parameter is used in a SQL query within /main/admin/admin-pages/submissions/crud.php without proper escaping or parameterization[2]. An attacker can inject additional SQL clauses into the query by manipulating this parameter. The vulnerable code path is present in all versions up to and including 3.25.1[1].

Exploitation

Exploitation requires that an unauthenticated user has been granted permission to view form submissions (e.g., via the plugin's permission settings), and that the form submission shortcode or block has been added to a page. The attacker sends a crafted HTTP request with malicious SQL appended to the orderby parameter. No prior authentication is needed beyond the granted submission view permission, and the attack does not require any user interaction. The injection occurs in an ORDER BY clause, allowing blind or error-based SQL injection techniques.

Impact

Successful exploitation enables an unauthenticated attacker to extract sensitive information from the WordPress database, such as usernames, password hashes, user email addresses, and other arbitrary data stored in plugin tables. The attack targets the confidentiality of the database; it does not directly achieve code execution or data modification unless combined with other vulnerabilities.

Mitigation

The plugin has been updated to version 3.29.3, which presumably remediates this vulnerability[1]. Users should update to the latest version (3.29.3 or higher) immediately. No workarounds are available for versions 3.25.1 and earlier. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.