CVE-2026-7802 is an authorization bypass vulnerability in the Frontend Admin by DynamiApps WordPress plugin. The plugin fails to properly verify user authorization when processing the user_id parameter, allowing authenticated users with low privileges to modify administrator account details such as user_pass, user_email, and profile fields. This can lead to full administrator account takeover via direct password replacement or email-based password reset redirection. The vulnerability is conditional on the 'Roles' setting in the Edit-User form being empty; a non-empty roles list prevents targeting administrators by setting the user ID to 'none' for unauthorized roles. The CVSS v3.1 score is 8.8, indicating high severity. No patch or official remediation has been published as of now.

Successful exploitation allows an authenticated user with subscriber-level privileges or higher to overwrite administrator credentials and profile information, resulting in full administrator account takeover. This compromises the integrity, confidentiality, and availability of the affected WordPress site. The vulnerability is mitigated if the Edit-User form's 'Roles' configuration restricts role targeting, preventing administrator accounts from being modified through this vector.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should ensure the Edit-User form's 'Roles' configuration is set to a non-empty list that excludes unauthorized roles, thereby preventing the vulnerability from being exploited. Monitor vendor channels for updates and apply patches promptly when released.