CVE-2026-7802
Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= value, enabling full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have its 'Roles' configuration setting left empty; when a non-empty roles list is configured, load_data() sets the user ID to 'none' for users whose roles fall outside the allowed list, preventing administrators from being targeted through that form.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated attackers with subscriber access can take over any administrator account via the Frontend Admin plugin by directly modifying user_pass without proper authorization checks.
Vulnerability
The Frontend Admin by DynamiApps plugin for WordPress (all versions up to and including 3.29.2) suffers from an authorization bypass vulnerability in its Edit-User form. The plugin fails to properly verify that the current user is authorized to edit a specified ?user_id= parameter. When the form's 'Roles' configuration setting is left empty, an authenticated attacker with subscriber-level access or above can supply a crafted ?user_id= value to overwrite any user's profile fields, including user_pass, user_email, first_name, and last_name. The vulnerability resides in the submit-handling logic found in the submit.php file (acf-frontend-form-element/trunk/main/frontend/forms/classes/submit.php) [1][2][3][4].
Exploitation
An attacker must be authenticated with at least subscriber-level permissions on the WordPress site. The targeted Edit-User form must be configured with an empty 'Roles' field (no allowed roles restriction). The attacker can then submit the form with a ?user_id= parameter set to the ID of an administrator. The form's back-end does not enforce ownership or role checks, so the attacker's submitted values—including a new user_pass—are accepted and written to the database. No additional user interaction is required beyond the attacker's own form submission.
Impact
Successful exploitation allows the attacker to completely take over the targeted administrator account. By modifying user_pass directly, the attacker can log in as that administrator immediately. Alternatively, changing the administrator's user_email enables a password-reset attack via the “Lost Password” flow. The attacker then gains full administrative access to the WordPress site, including the ability to execute code, modify themes and plugins, and exfiltrate data.
Mitigation
No fixed version has been released as of the CVE publication date (2026-05-28). The vendor has not yet addressed the vulnerability in a patch. As a workaround, site administrators can avoid leaving the Edit-User form's 'Roles' configuration empty; populating it with a restricted set of roles prevents the exploitation path by causing load_data() to set the user ID to 'none' for out-of-scope users. The plugin is not known to be listed on CISA's KEV as of this writing.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=3.29.2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
14- plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.36/main/frontend/forms/actions/user.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.36/main/frontend/forms/actions/user.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.36/main/frontend/forms/classes/submit.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.36/main/frontend/forms/classes/submit.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.29.1/main/frontend/forms/actions/user.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.29.1/main/frontend/forms/actions/user.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.29.1/main/frontend/forms/classes/submit.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.29.1/main/frontend/forms/classes/submit.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/actions/user.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/actions/user.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/classes/submit.phpnvd
- plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/classes/submit.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/cd091bd5-6b6a-4964-9249-525bbbec702cnvd
News mentions
0No linked articles in our index yet.