CVE-2026-6228— Frontend Admin by DynamiApps <= 3.28.36 - Unauthenticated Privilege Escalation via Edit User Form
Possible ATT&CK Techniques 3AI
T1098 · Account Manipulation T1078 · Valid Accounts T1136 · Create AccountAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| shabti | Frontend Admin by DynamiApps | ≤ 3.28.36 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-6228
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Frontend Admin by DynamiApps <= 3.28.36 - Unauthenticated Privilege Escalation via Edit User Form
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 3.28.36. This is due to insufficient authorization checks in the role field update mechanism combined with overly permissive capabilities for the admin_form post type. The admin_form custom post type uses 'capability_type' => 'page', which grants editors the ability to create and edit forms. When an editor creates an edit_user form, they can manipulate the form configuration to include 'administrator' in the role_options array by directly submitting POST data to wp-admin/post.php, bypassing the UI restrictions in feadmin_get_user_roles(). When the form is subsequently submitted, the pre_update_value() function in class-role.php only validates that the submitted role exists in the form's role_options array (lines 107-110), but fails to verify that the current user has permission to assign that specific role. This makes it possible for unauthenticated attackers to first register as editors (via a public new_user form), then create an edit_user form with administrator in the allowed roles, and finally use that form to escalate their own privileges to administrator.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权管理不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| shabti | Frontend Admin by DynamiApps | 0 ~ 3.28.36 | - |
II. Public POCs for CVE-2026-6228
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-6228
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: Frontend Admin by DynamiApps
- CVE-2026-3328
Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Edi - CVE-2025-14741
Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorizat - CVE-2025-14937
Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated St - CVE-2025-14736
Frontend Admin by DynamiApps <= 3.28.29 - Unauthenticated Pr - CVE-2025-13342
Frontend Admin by DynamiApps <= 3.28.20 - Unauthenticated Ar
Same vendor: shabti
- CVE-2026-3328
Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Edi - CVE-2025-14741
Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorizat - CVE-2025-14937
Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated St - CVE-2025-14736
Frontend Admin by DynamiApps <= 3.28.29 - Unauthenticated Pr - CVE-2025-13342
Frontend Admin by DynamiApps <= 3.28.20 - Unauthenticated Ar
Same weakness: CWE-269
- CVE-2026-45395
Open WebUI: Missing `workspace.tools` Authorization Check on - CVE-2026-45675
Open WebUI: LDAP and OAuth First-User Race Condition Allows - CVE-2025-62625
KVM密钥下载组件权限管理不当漏洞 - CVE-2026-5193
Essential Addons for Elementor – Popular Elementor Templates - CVE-2026-42289
ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admi
V. Comments for CVE-2026-6228
No comments yet