{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14741", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-15T19:08:42.013Z", "datePublished": "2026-01-09T07:22:11.168Z", "dateUpdated": "2026-04-08T16:53:08.443Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:08.443Z"}, "affected": [{"vendor": "shabti", "product": "Frontend Admin by DynamiApps", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.28.25", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts."}], "title": "Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "andrea bocchetti"}], "timeline": [{"time": "2025-12-12T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-15T19:25:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-08T18:45:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T19:06:33.393724Z", "id": "CVE-2025-14741", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:11:36.990Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14741", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T19:06:33.393724Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:11:34.556Z"}}], "cna": {"title": "Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element", "credits": [{"lang": "en", "type": "finder", "value": "andrea bocchetti"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "shabti", "product": "Frontend Admin by DynamiApps", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.28.25"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-15T19:25:39.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-08T18:45:51.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106"}], "descriptions": [{"lang": "en", "value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:08.443Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14741", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:53:08.443Z", "dateReserved": "2025-12-15T19:08:42.013Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T07:22:11.168Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts."}, {"lang": "es", "value": "El plugin Frontend Admin de DynamiApps para WordPress es vulnerable a la falta de autorizaci\u00f3n para la modificaci\u00f3n y eliminaci\u00f3n no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'delete_object' en todas las versiones hasta la 3.28.25, inclusive. Esto hace posible que atacantes no autenticados eliminen publicaciones, p\u00e1ginas, productos, t\u00e9rminos de taxonom\u00eda y cuentas de usuario arbitrarios."}], "id": "CVE-2025-14741", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T08:15:57.660", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:01:28.906653+00:00", "value": {"mitigation_remediation": ["Update the Frontend Admin plugin to version 3.28.26 or later, which contains the missing authorization check fix.", "If immediate updating is impossible, remove or disable the delete_object form element from the front\u2011end until the plugin can be patched. This stops unauthenticated deletion attempts.", "Configure a web\u2011application firewall or rewrite rules to block delete_object requests originating from unauthenticated sessions, ensuring only authenticated administrators can trigger deletions."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated arbitrary data deletion"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Frontend Admin by DynamiApps plugin up to and including version 3.28.25 are affected. Sites that have not applied the 3.28.26 update or later are at risk.", "description_and_impact": "The Frontend Admin plugin for WordPress lacks a capability check on the delete_object function, allowing any visitor to trigger deletion of posts, pages, products, taxonomy terms, and even user accounts. This results in direct data loss and integrity compromise. The flaw is classified as CWE-862, indicating a missing authorization control, and carries a CVSS score of 9.1, reflecting a high severity.", "risk_and_exploitability": "Because the vulnerability permits access without authentication, any user on the public web interface can exploit it by submitting a delete_object request. The EPSS score is below 1%, suggesting current exploit pressure is low, yet the potential impact is severe. The flaw is not listed in the CISA KEV catalog, but the lack of an authorization check means an attacker could delete arbitrary content or accounts without restrictions. The likely attack vector is straightforward: craft a request to the delete_object endpoint from any browser or automated tool, bypassing role or capability checks."}}}}, "created": "2026-01-09T13:23:24.750476+00:00", "updated": "2026-04-22T00:15:03.760587+00:00", "vendors": ["dynamiapps", "dynamiapps$PRODUCT$frontend_admin", "wordpress", "wordpress$PRODUCT$wordpress"]}