The Frontend Admin by DynamiApps plugin for WordPress suffers from an improper privilege management vulnerability (CWE-269) allowing unauthenticated privilege escalation. The plugin insecurely processes form submissions by accepting arbitrary form definitions from user input instead of securely loading them from the backend. Specifically, when the $_POST['_acf_form'] parameter is an array rather than a form ID, the validate_form() function bypasses database lookups and processes attacker-controlled data. The create_record() function preserves attacker-supplied record data, and the run() function falls back to attacker-controlled field definitions when legitimate fields are missing. This includes the role field's pre_update_value() validation, which reads role options from attacker-controlled data, allowing attackers to specify 'administrator' as an allowed role and bypass security checks. Consequently, unauthenticated attackers can create administrator accounts, leading to full site compromise.

Successful exploitation allows unauthenticated attackers to create administrator accounts on the affected WordPress site, resulting in full control over the site, including confidentiality, integrity, and availability impacts. The CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability. There are no known exploits in the wild at the time of this report.

Patch status is not yet confirmed — no official fix or patch links are currently available. Users should monitor the vendor's advisory channels for updates and apply official patches once released. Until a patch is available, consider disabling or removing the Frontend Admin by DynamiApps plugin to prevent exploitation. Avoid exposing the plugin to untrusted users or unauthenticated requests. No vendor advisory content is provided to indicate that the issue is already mitigated or requires no action.