Frontend Admin by DynamiApps

Wordfence Intelligence   >   Vulnerability Database   >   WordPress Plugins   >   Frontend Admin by DynamiApps

Information

Software Type Plugin
Software Slug acf-frontend-form-element (view on wordpress.org)
Software Status Active
Software Author shabti
Software Website www.dynamiapps.com
Software Downloads 949,577
Software Active Installs 10,000
Software Record Last Updated June 18, 2026

19 Vulnerabilities

Submit a Vulnerability
Frontend Admin by DynamiApps <= 3.28.28 - Authenticated (Administrator+) SQL Injection via 'order' Parameter
4.9
CVE-2026-10039
May 28, 2026
Researchers: Louis Deschanel (JeanJeanLeHaxor), Pascal SUN
Frontend Admin by DynamiApps <= 3.29.2 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via 'user_id' URL Query Parameter
8.8
CVE-2026-7802
May 27, 2026
Researcher: Tiago Ventura (perses)
Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Privilege Escalation via Form Configuration Injection
8.8
CVE-2026-6226
May 27, 2026
Researcher: daroo
Frontend Admin by DynamiApps <= 3.28.36 - Unauthenticated Privilege Escalation via Edit User Form
8.8
CVE-2026-6228
May 14, 2026
Researcher: Colin Xu
Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts
7.2
CVE-2026-3328
Mar 25, 2026
Researcher: Osvaldo Noe Gonzalez Del Rio (Os)
Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via 'update_field'
7.2
CVE-2025-14937
Jan 8, 2026
Researcher: Paolo Tresso
Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element
9.1
CVE-2025-14741
Jan 8, 2026
Researcher: andrea bocchetti
Frontend Admin by DynamiApps <= 3.28.29 - Unauthenticated Privilege Escalation to Administrator via Role Form Field
9.8
CVE-2025-14736
Jan 8, 2026
Researcher: andrea bocchetti
Frontend Admin by DynamiApps <= 3.28.20 - Unauthenticated Arbitrary Options Update
9.8
CVE-2025-13342
Dec 3, 2025
Researcher: YC_Infosec
Frontend Admin by DynamiApps <= 3.28.3 - Authenticated (Subscriber+) SQL Injection
6.5
CVE-2025-49267
Aug 12, 2025
Researcher: Frissi0n
Frontend Admin by DynamiApps <= 3.28.7 - Authenticated (Editor+) Arbitrary File Deletion
6.5
CVE-2025-49303
Jun 26, 2025
Researcher: 0xd4rk5id3
Frontend Admin by DynamiApps <= 3.25.17 - Reflected Cross-Site Scripting
6.1
CVE-2025-26987
Feb 23, 2025
Researcher: Dimas Maulana
Frontend Admin by DynamiApps <= 3.25.1 - Unauthenticated SQL Injection
5.9
CVE-2024-11722
Dec 20, 2024
Researcher: Max Boll (_b0lli)
Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Stored Cross-Site Scripting
7.2
CVE-2024-11720
Dec 13, 2024
Researcher: Max Boll (_b0lli)
Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Privilege Escalation
8.1
CVE-2024-11721
Dec 13, 2024
Researcher: Max Boll (_b0lli)
Frontend Admin by DynamiApps <= 3.19.4 - Improper Missing Encryption Exception Handling to Form Manipulation
9.8
CVE-2024-3729
Apr 18, 2024
Researcher: István Márton
Frontend Admin by DynamiApps Plugin <= 3.18.3 - Unauthenticated Arbitrary File Upload
9.8
CVE-2023-51411
Dec 27, 2023
Researcher: Rafie Muhammad
Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get
6.1
CVE-2023-33999
Jul 18, 2023
Researcher: Rafie Muhammad
Freemius SDK <= 2.4.2 - Missing Authorization Checks
6.3
CVE-2022-4974
Mar 4, 2022
Researchers:
Title Status CVE ID CVSS Researchers Date
Frontend Admin by DynamiApps <= 3.28.28 - Authenticated (Administrator+) SQL Injection via 'order' Parameter Patched CVE-2026-10039 4.9 Louis Deschanel (JeanJeanLeHaxor), Pascal SUN May 28, 2026
Frontend Admin by DynamiApps <= 3.29.2 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via 'user_id' URL Query Parameter Patched CVE-2026-7802 8.8 Tiago Ventura (perses) May 27, 2026
Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Privilege Escalation via Form Configuration Injection Patched CVE-2026-6226 8.8 daroo May 27, 2026
Frontend Admin by DynamiApps <= 3.28.36 - Unauthenticated Privilege Escalation via Edit User Form Patched CVE-2026-6228 8.8 Colin Xu May 14, 2026
Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts Patched CVE-2026-3328 7.2 Osvaldo Noe Gonzalez Del Rio (Os) March 25, 2026
Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via 'update_field' Patched CVE-2025-14937 7.2 Paolo Tresso January 8, 2026
Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element Patched CVE-2025-14741 9.1 andrea bocchetti January 8, 2026
Frontend Admin by DynamiApps <= 3.28.29 - Unauthenticated Privilege Escalation to Administrator via Role Form Field Patched CVE-2025-14736 9.8 andrea bocchetti January 8, 2026
Frontend Admin by DynamiApps <= 3.28.20 - Unauthenticated Arbitrary Options Update Patched CVE-2025-13342 9.8 YC_Infosec December 3, 2025
Frontend Admin by DynamiApps <= 3.28.3 - Authenticated (Subscriber+) SQL Injection Patched CVE-2025-49267 6.5 Frissi0n August 12, 2025
Frontend Admin by DynamiApps <= 3.28.7 - Authenticated (Editor+) Arbitrary File Deletion Patched CVE-2025-49303 6.5 0xd4rk5id3 June 26, 2025
Frontend Admin by DynamiApps <= 3.25.17 - Reflected Cross-Site Scripting Patched CVE-2025-26987 6.1 Dimas Maulana February 23, 2025
Frontend Admin by DynamiApps <= 3.25.1 - Unauthenticated SQL Injection Patched CVE-2024-11722 5.9 Max Boll (_b0lli) December 20, 2024
Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Stored Cross-Site Scripting Patched CVE-2024-11720 7.2 Max Boll (_b0lli) December 13, 2024
Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Privilege Escalation Patched CVE-2024-11721 8.1 Max Boll (_b0lli) December 13, 2024
Frontend Admin by DynamiApps <= 3.19.4 - Improper Missing Encryption Exception Handling to Form Manipulation Patched CVE-2024-3729 9.8 István Márton April 18, 2024
Frontend Admin by DynamiApps Plugin <= 3.18.3 - Unauthenticated Arbitrary File Upload Patched CVE-2023-51411 9.8 Rafie Muhammad December 27, 2023
Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get Patched CVE-2023-33999 6.1 Rafie Muhammad July 18, 2023
Freemius SDK <= 2.4.2 - Missing Authorization Checks Patched CVE-2022-4974 6.3 March 4, 2022

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation