CVE-2026-7802: Frontend Admin WordPress Plugin Authorization Bypass and Admin Account Takeover
The Frontend Admin plugin for WordPress contains a critical flaw that allows low-privilege attackers to hijack administrator accounts. Any authenticated user—even with basic subscriber permissions—can change an admin's password, email address, and other profile information by manipulating a form parameter. This transforms a subscriber account into a full site compromise. The vulnerability only affects configurations where the plugin's 'Roles' setting is left unconfigured; properly configured instances with a defined roles list block this attack.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-862
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= value, enabling full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have its 'Roles' configuration setting left empty; when a non-empty roles list is configured, load_data() sets the user ID to 'none' for users whose roles fall outside the allowed list, preventing administrators from being targeted through that form.
14 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7802 is an authorization bypass vulnerability in Frontend Admin (all versions ≤3.29.2) stemming from inadequate access control in user profile editing functions. The plugin fails to validate that the authenticated user has permission to modify the targeted user record. Attackers exploit this by injecting an arbitrary ?user_id= parameter to select victim accounts. The load_data() function contains conditional logic that mitigates the issue when the Edit-User form's 'Roles' configuration is non-empty; in that case, users outside the allowed role list trigger a fallback that sets user_id to 'none'. However, when 'Roles' is left empty, no such protection exists, leaving administrator accounts fully exposed to modification by any authenticated attacker. The vulnerability maps to CWE-862 (Missing Authorization).
Business impact
Successful exploitation results in complete administrator account takeover, granting an attacker full control of the WordPress site. Attackers can create backdoor accounts, modify site content, install malicious plugins, exfiltrate sensitive data, or pivot to connected systems. This is particularly dangerous for sites hosting customer data, e-commerce platforms, or content management systems where site integrity is critical. The low barrier to entry—only subscriber-level access required—means internal users, compromised low-privilege accounts, or users from poorly-managed subscription roles pose an immediate risk. Recovery requires full security audit and potential malware remediation.
Affected systems
Frontend Admin plugin for WordPress in versions 3.29.2 and earlier. Only installations with the Edit-User form's 'Roles' configuration setting left empty are vulnerable; sites that have defined an explicit roles list within the plugin configuration are not affected by this particular attack vector, though they should still patch. The vulnerability requires WordPress to be running and the plugin to be installed and activated.
Exploitability
Exploitability is high. The attack is network-accessible, requires only valid WordPress credentials at subscriber level or above, needs no user interaction, and carries no complex conditions beyond an improperly configured form setting. An attacker already inside the WordPress user database—whether through social engineering, leaked credentials, or a guest registration—can immediately attempt account takeover. No special tools or exploit code are necessary; the attack is feasible through the WordPress admin interface or direct HTTP requests. This is not an advanced attack.
Remediation
Update Frontend Admin to version 3.29.3 or later as soon as it becomes available. In the interim, if upgrading is not immediately possible, apply the plugin's 'Roles' configuration setting to the Edit-User form by explicitly defining which user roles are permitted to access that form; do not leave it empty. Additionally, audit all user accounts for unauthorized profile modifications (password changes, email updates) and review access logs for suspicious activity. Consider temporarily disabling the Frontend Admin plugin if you cannot patch immediately and cannot safely configure the Roles restriction.
Patch guidance
Verify the availability of a patched version (3.29.3 or later) from the plugin vendor's repository or your WordPress plugin update interface. Perform the update in a staging environment first to confirm compatibility with your site's configuration and other active plugins. After patching, clear any cached data and re-test the Edit-User form functionality to ensure legitimate workflows are not disrupted. If a patch has not yet been released, contact the plugin vendor (DynamiApps) for an estimated timeline and interim mitigation options. Document the patch version applied and the date for compliance and audit records.
Detection guidance
Monitor WordPress access logs and database activity for unusual administrative account modifications—particularly changes to user_pass, user_email, first_name, and last_name fields on accounts with administrator roles. Check for edit-user.php requests with suspicious or non-standard ?user_id= values. Review user audit logs within WordPress or via security plugins for password resets or email changes initiated by low-privilege accounts. If you operate a SIEM, create alerts for any user modification events where the authenticated user's role does not normally permit such changes. Examine WordPress database tables (wp_users) for unexpected modifications to high-privilege accounts around the time of suspected intrusion.
Why prioritize this
This vulnerability warrants immediate prioritization due to the combination of high CVSS score (8.8), low attack complexity, low privilege requirements, and high business impact. Any authenticated user can become a site administrator, making it a gateway to full compromise. The fact that many sites may not have configured the 'Roles' setting means a large install base is potentially at risk. Unlike many authorization bypasses that affect narrow user roles or require unusual configurations, this one thrives on a default-empty configuration state that many site administrators may not have addressed.
Risk score, explained
The CVSS v3.1 score of 8.8 (HIGH) reflects: network accessibility (AV:N), low attack complexity (AC:L), low privilege requirements (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score correctly captures the severity because the attacker gains administrative privilege and can execute arbitrary actions. The score would be critical (9.0+) if the vulnerability were exploitable without authentication, but the subscriber-level access requirement provides a minimal hurdle that still represents significant risk in most WordPress deployments.
Frequently asked questions
Do I need to patch if I've configured the 'Roles' setting in the Edit-User form?
You should still patch, as it is a security best practice and future configurations or other forms may not benefit from this mitigation. However, if you have explicitly set the 'Roles' configuration to a non-empty value, you are not vulnerable to this specific attack vector. That said, do not rely solely on configuration as a long-term defense; upgrade to a patched version.
How can I tell if my site has been compromised through this vulnerability?
Check your WordPress user list for unexpected administrator accounts or changes to existing admin passwords or email addresses. Review your hosting provider's access logs for unusual admin logins from unfamiliar IP addresses. Use a WordPress security plugin to audit user modifications and failed login attempts. If you suspect compromise, change all administrator passwords immediately, review active sessions, and remove any suspicious plugins or themes.
What if I cannot patch immediately?
As an interim measure, configure the Edit-User form's 'Roles' setting to explicitly list only the roles you want to permit editing that form; do not leave it empty. Limit WordPress user registrations to trusted sources only. Audit subscriber-level accounts and disable those that are not actively used. Consider temporarily disabling the Frontend Admin plugin entirely until a patch is available. Monitor your logs closely during this period.
Does this affect WordPress core or only this plugin?
This vulnerability is specific to the Frontend Admin plugin by DynamiApps. WordPress core is not affected. However, because the plugin extends user management functionality, improper use of the plugin can expose the underlying WordPress user system to compromise. Ensuring your WordPress core is up-to-date provides additional defense-in-depth but does not fix this plugin vulnerability.
This analysis is provided for informational purposes and is based on disclosed vulnerability data current as of the publication date. SEC.co does not independently verify all vendor claims or patch availability. Always consult the official DynamiApps vendor advisory and WordPress.org plugin repository for the most current patch versions and technical details. Organizations should conduct their own risk assessment based on their environment, user base, and WordPress configuration. This advisory does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability
- CVE-2025-26418HIGHAndroid CarDevicePolicyService Privilege Escalation (CVSS 7.8)
- CVE-2025-53345HIGHThimPress Thim Core Missing Authorization Leads to Code Execution
- CVE-2026-10737HIGHWordPress SP Project & Document Manager Unauthenticated File Access Vulnerability
- CVE-2026-31942HIGHLibreChat IDOR Vulnerability Allows Unauthorized API Key Manipulation
- CVE-2026-32905HIGHOpenClaw Device-Pair Authorization Bypass (CVSS 8.3)
- CVE-2026-35630HIGHOpenClaw Authorization Bypass in QQBot Approval Buttons
- CVE-2026-42669HIGHEventPrime Missing Authorization Vulnerability (CVSS 7.5)