CVE-2026-6226
Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST['_acf_form'] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action's run() function falls back to attacker-controlled field definitions from $form['fields'] when legitimate fields cannot be found. The role field's pre_update_value() validation reads $field['role_options'] from this attacker-controlled definition, allowing an attacker to specify ['administrator'] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated attackers can create WordPress admin accounts via a crafted form submission in the Frontend Admin plugin for WordPress (≤3.29.2).
Vulnerability
The Frontend Admin by DynamiApps plugin for WordPress (versions up to and including 3.29.2) contains an unauthenticated privilege escalation vulnerability in form submission handling. The validate_form() function in submit.php [3][4] accepts arbitrary form definitions from $_POST['_acf_form'] when it is an array, instead of securely loading a stored form definition from the database. This allows an attacker to inject a custom form configuration with a malicious role field that defines ['administrator'] in its role_options. The create_record() function preserves attacker-supplied record data, and the user action's run() function falls back to attacker-controlled field definitions from $form['fields'] when legitimate fields cannot be found. The role field's pre_update_value() validation reads $field['role_options'] from this attacker-controlled definition, bypassing the security check [1][2].
Exploitation
An unauthenticated attacker can exploit this by sending a POST request to a page that processes forms via the plugin. The attacker sets $_POST['_acf_form'] to an array containing a crafted form definition that includes a user action to create a new user, and a role field with role_options set to ['administrator']. The attacker also supplies the desired username, email, and password in the acff array. No prior authentication, user interaction, or special network position is required beyond the ability to send HTTP POST requests to the target site.
Impact
Successful exploitation allows an unauthenticated attacker to create a new user account with Administrator privileges on the WordPress site, granting full control over the site. This can lead to complete compromise of the site, including data theft, malware injection, or site defacement.
Mitigation
The vendor has released version 3.29.3 which fixes the issue by properly validating form definitions and preventing arbitrary form injection. Users should update to version 3.29.3 or later immediately. No workaround is available for unpatched versions. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=3.29.2
- Range: <=3.29.2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
10- plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.33/main/frontend/fields/user/class-role.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.33/main/frontend/forms/actions/user.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.33/main/frontend/forms/classes/display.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.33/main/frontend/forms/classes/submit.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/actions/user.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/classes/display.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/classes/submit.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/123e1758-3384-4ea7-96dd-d6adcce40392nvd
News mentions
0No linked articles in our index yet.