CVE-2025-13342
Published: 03 December 2025
Description
Adversaries may create a local account to maintain access to victim systems.
Security Summary
CVE-2025-13342 affects the Frontend Admin by DynamiApps plugin for WordPress in all versions up to and including 3.28.20. The vulnerability enables unauthorized modification of arbitrary WordPress options due to insufficient capability checks and input validation in the ActionOptions::run() save handler. It has been assigned CWE-862 (Missing Authorization) and a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity stemming from network accessibility without authentication or user interaction.
Unauthenticated attackers can exploit this flaw by submitting crafted form data to public frontend forms provided by the plugin. Successful exploitation allows modification of critical WordPress options, such as users_can_register, default_role, and admin_email, potentially enabling attackers to create unauthorized administrator accounts, alter site registration settings, or redirect administrative notifications.
Mitigation details are outlined in advisories from Wordfence and the WordPress plugin trac repository, including changeset 3400432 which addresses the issue in the ACF Frontend Form Element. Security practitioners should update the plugin to a version beyond 3.28.20 and review any modified options on affected sites.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE enables unauthenticated exploitation of a public-facing WordPress plugin (T1190) to modify options like users_can_register and default_role, facilitating local account creation with admin privileges (T1136.001).