CVE-2026-10039

Vulnerability

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the order parameter in all versions up to and including 3.28.28. The vulnerability resides in the get_payments() function in main/admin/admin-pages/payments/list.php [1]. The code constructs an SQL query and, when the orderby parameter is present, it concatenates the order value directly into the query string without proper escaping or preparation [1]. Only a rudimentary check for 'DESC' is performed using a ternary operator; any other value, including malicious SQL, is accepted and appended [1]. The affected versions are all releases up to 3.28.28 [2][3].

Exploitation

An authenticated attacker with administrator-level access (or higher) must supply both a valid orderby parameter and a crafted order parameter in the same HTTP request to reach the vulnerable code path [1]. The orderby value is sanitized via sanitize_sql_orderby(), but the order value is not escaped or parameterized [1]. The attacker can then append arbitrary SQL clauses (e.g., UNION SELECT...) to the existing query, enabling extraction of data from the WordPress database [1].

Impact

Successful exploitation allows the attacker to extract sensitive information from the database, such as usernames, password hashes, and other confidential data stored in WordPress tables [1]. The impact is limited to information disclosure (confidentiality breach); the attacker does not directly obtain code execution or write capabilities through this SQL injection [1].

Mitigation

The vendor has released version 3.29.3 which addresses the vulnerability [2][3]. Administrators should update the plugin to version 3.29.3 or later immediately. There is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities catalog as of the publication date. Sites running versions prior to 3.29.3 should apply the update as soon as possible.