Frontend Admin by DynamiApps

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.

AI Analysis

Missing authorization vulnerability allowing unauthenticated attackers to delete arbitrary data

Basic Information

ID CVE-2025-14741

Source Wordfence

Published Jan 9, 2026 at 07:22

Affected Product

Vendor shabti

Product Frontend Admin by DynamiApps

Version *

Affected Versions shabti Frontend Admin by DynamiApps *

CWE Classification

CWE-862

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor DynamiApps

Product Frontend Admin

Version 3.28.25 and below

References

{
    "lastseen": "",
    "description": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.",
    "published": "2026-01-09T07:22:11.168Z",
    "modified": "2026-01-09T07:22:11.168Z",
    "type": "cve",
    "title": "Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve\nhttps://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106",
    "id": "CVE-2025-14741",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "shabti Frontend Admin by DynamiApps *",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Frontend Admin by DynamiApps",
    "version": "*",
    "vendor": "shabti",
    "ai_description": "Missing authorization vulnerability allowing unauthenticated attackers to delete arbitrary data",
    "ai_severity": "Critical",
    "ai_vendor": "DynamiApps",
    "ai_product": "Frontend Admin",
    "ai_version": "3.28.25 and below",
    "ai_score": 9.1
}

Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element_CVE-2025-14741