CVE-2026-3328— WordPress plugin Frontend Admin by DynamiApps 代码问题漏洞

Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

可信数据的反序列化

WordPress plugin Frontend Admin by DynamiApps 代码问题漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Frontend Admin by DynamiApps 3.28.31及之前版本存在代码问题漏洞，该漏洞源于对admin_form帖子内容中的用户可控内容反序列化时缺少类限制，可能导致PHP对象注入。

N/A

N/A