Vulnerabilities ›

CVE-2026-3328

High

CWE-502 — Weakness Type

                    Published: Mar 26, 2026                      ·  Modified: Apr 2, 2026                      ·  Source: NVD                

CVSS v3

7.2

🔗 NVD Official

📄 Description (English)

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.

🤖 AI Executive Summary

The Frontend Admin by DynamiApps WordPress plugin versions up to 3.28.31 is vulnerable to PHP Object Injection through unsafe deserialization of admin_form post content, allowing authenticated Editor-level users to execute arbitrary code via a POP chain. Organizations using this plugin should immediately update to patched versions and restrict Editor access to trusted administrators only.

📄 Description (Arabic)

تحتوي إضافة Frontend Admin by DynamiApps على ثغرة حقن كائنات PHP خطيرة تنشأ من استخدام دالة WordPress `maybe_unserialize()` بدون قيود على الفئات عند معالجة محتوى منشورات admin_form التي يتحكم بها المستخدمون. يمكن للمهاجمين الذين لديهم صلاحيات محرر أو أعلى استخدام سلسلة POP موجودة لتحقيق تنفيذ أوامر بعيد على الخادم.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 8, 2026 20:37

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government banking telecom healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1059 T1203 T1047

⚖️ Saudi Risk Score (AI)

9.0

/ 10.0

🔧 Remediation Steps (English)

Update the Frontend Admin by DynamiApps plugin to version 3.28.32 or later immediately. Restrict Editor-level and above access to trusted administrators only. Review user roles and capabilities in WordPress admin panel. Monitor admin_form post modifications in activity logs. Consider implementing Web Application Firewall (WAF) rules to detect serialized object patterns in POST requests.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة Frontend Admin من DynamiApps إلى الإصدار 3.28.32 أو أحدث فوراً. قيّد الوصول على مستوى المحرر والأعلى للمسؤولين الموثوقين فقط. راجع أدوار المستخدمين والقدرات في لوحة تحكم WordPress. راقب تعديلات منشورات admin_form في سجلات النشاط. فكر في تنفيذ قواعد جدار الحماية لتطبيقات الويب للكشف عن أنماط الكائنات المسلسلة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1 5.2 5.3 7.1

🔵 SAMA CSF

ID.BE-5 PR.DS-2 PR.IP-1 DE.CM-1

🟡 ISO 27001:2022

A.12.2.1 A.12.6.1 A.14.2.1

🔗 References & Sources 4

🔗

https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.27/main/...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/admin/a...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=348678...

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/0faa8f07-88c1-4638-9de5-e2028...

security@wordfence.com

📊 CVSS Score

7.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredH — High

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.2

CWECWE-502

EPSS0.51%

Exploit No

Patch ✗ No

Published 2026-03-26

Source Feed nvd

🇸🇦 Saudi Risk Score

9.0

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-502

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-3328

💬 Comments

Introduce Yourself

Sign In Required