CVE-2025-14741

CRITICAL

Frontend Admin by DynamiApps - Auth Bypass

Title source: llm

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve

Scores

CVSS v3 9.1

EPSS 0.0035

EPSS Percentile 27.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

shabti/Frontend Admin by DynamiApps < 3.28.25

Published Jan 09, 2026

Tracked Since Feb 18, 2026