CVE-2024-11721

HIGH

Frontend Admin by DynamiApps <3.24.5 - Privilege Escalation

Title source: llm

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.24.5. This is due to insufficient controls on the user role select field when utilizing the 'Role' field in a form. This makes it possible for unauthenticated attackers to create new administrative user accounts, even when the administrative user role has not been provided as an option to the user, granted that unauthenticated users have been provided access to the form.

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/changeset/3204192/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/e9fdc833-8384-42c0-ad9b-72e5b6351964?source=cve

Scores

CVSS v3 8.1

EPSS 0.0053

EPSS Percentile 40.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-269

Status published

Products (2)

dynamiapps/frontend_admin < 3.25.1

shabti/Frontend Admin by DynamiApps < 3.24.5

Published Dec 14, 2024

Tracked Since Feb 18, 2026