Frontend Admin <= 3.28.28 Authenticated SQL Injection in 'order' Parameter (CVE-2026-10039)

漏洞概述 漏洞名称: Frontend Admin by DynamiApps <= 3.28.28 - Authenticated (Administrator+) SQL Injection via 'order' Parameter CVE ID: CVE-2026-10039 CVSS评分: 4.9 (Medium) 发布日期: May 28, 2026 最后更新日期: May 29, 2026 研究人员: Louis Deschanel (JeanJeanLeHaxor), Patrowl, Pascal SUN - Patrowl 影响范围 软件类型: Plugin 软件名称: acf-frontend-form-element 受影响版本: <= 3.28.8 修复版本: 3.28.29 修复方案 修复建议: 更新到版本 3.28.29 或更新的已修补版本 其他信息 描述: Frontend Admin by DynamiApps 插件 for WordPress 存在 SQL 注入漏洞，攻击者可以通过 'order' 参数注入恶意 SQL 代码。 参考链接: - plugins.trac.wordpress.org - plugins.trac.wordpress.org - plugins.trac.wordpress.org - plugins.trac.wordpress.org 近期相关漏洞 Frontend Admin by DynamiApps <= 3.29.2 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via 'user_id' URL Query Parameter - CVE ID: CVE-2026-7802 - CVSS评分: 8.8 - 研究人员: Tiago Ventura (persec) - 发布日期: May 27, 2026 Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Privilege Escalation via Form Configuration Injection - CVE ID: CVE-2026-6226 - CVSS评分: 8.8 - 研究人员: daroo - 发布日期: May 27, 2026 Frontend Admin by DynamiApps <= 3.28.36 - Unauthenticated Privilege Escalation via Edit User Form - CVE ID: CVE-2026-6228 - CVSS评分: 8.6 - 研究人员: Colin Xu - 发布日期: May 14, 2026 Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form-Posts - CVE ID: CVE-2026-3328 - CVSS评分: 7.2 - 研究人员: Osvaldo Nue Gonzalez Del Rio (Ds) - 发布日期: March 25, 2026 Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via 'update_field' - CVE ID: CVE-2025-14937 - CVSS评分: 7.2 - 研究人员: Paolo Tresso - 发布日期: January 8, 2026 Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element - CVE ID: CVE-2025-14741 - CVSS评分: 9.1 - 研究人员: andrea bocchetti - 发布日期: January 8, 2026 Frontend Admin by DynamiApps <= 3.28.29 - Unauthenticated Privilege Escalation to Administrator via Role Form Field - CVE ID: CVE-2025-14736 - CVSS评分: 9.8 - 研究人员: andrea bocchetti - 发布日期: January 8, 2026 Frontend Admin by DynamiApps <= 3.28.20 - Unauthenticated Arbitrary Options Update - CVE ID: CVE-2025-13342 - CVSS评分: 9.8 - 研究人员: YC_Infosec - 发布日期: December 3, 2025 Frontend Admin by DynamiApps <= 3.28.3 - Authenticated (Subscriber+) SQL Injection - CVE ID: CVE-2025-49267 - CVSS评分: 6.5 - 研究人员: Friss0n - 发布日期: August 12, 2025 Frontend Admin by DynamiApps <= 3.28.7 - Authenticated (Editor+) Arbitrary File Deletion - CVE ID: CVE-2025-49303 - CVSS评分: 6.5 - 研究人员: 0x4dr5id3 - 发布日期: June 26, 2025 其他资源 Wordfence Intelligence: 提供免费的个人和商业 API 访问，用于 WordPress 漏洞数据库。 Wordfence WordPress 插件: 可以通知用户最新的漏洞，并提供 webhook 集成。 Wordfence Intelligence WordPress 漏洞数据库: 完全免费访问和查询，提供 API 文档。 联系方式 技术支持: 9am-8pm ET, 5am-5pm PT, 2pm-1am UTC/GMT（不包括周末和节假日） 响应时间: 24小时支持，365天，1小时响应时间 版权信息 版权: 2012-2026 Defiant Inc. 许可证: MITRE Corporation 的 CVE 使用许可 其他链接 Terms of Service: 链接 Privacy Policy and Notice at Collection: 链接 Do Not Sell or Share My Personal Information: 链接 社交媒体 Twitter: 链接 Facebook: 链接 LinkedIn: 链接 Instagram: 链接 产品和支持 Wordfence Free: 链接 Wordfence Premium: 链接 Wordfence Care: 链接 Wordfence Response: 链接 Wordfence CLI: 链接 Wordfence Intelligence: 链接 Wordfence Central: 链接 支持 Documentation: 链接 Learning Center: 链接 Free Support: 链接 Premium Support: 链接 新闻 Blog: 链接 In The News: 链接 Vulnerability Advisories: 链接 关于 About Wordfence: 链接 Affiliate Program: 链接 Employment: 链接 Contact: 链接 Security: 链接 CVE Request Form: 链接 订阅 Sign up for news and updates: 链接 页脚 © 2012-2026 Defiant Inc. All Rights Reserved

Goal Reached Thanks to every supporter — we hit 100%!

Frontend Admin <= 3.28.28 Authenticated SQL Injection in 'order' Parameter (CVE-2026-10039)

More from this source