{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14937", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-18T21:15:38.790Z", "datePublished": "2026-01-09T07:22:10.363Z", "dateUpdated": "2026-04-08T16:49:53.635Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:53.635Z"}, "affected": [{"vendor": "shabti", "product": "Frontend Admin by DynamiApps", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.28.23", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via 'update_field'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46c988ff-9cc5-4f2b-a3dd-06eaef5a7919?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3427236/acf-frontend-form-element"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Paolo Tresso"}], "timeline": [{"time": "2025-12-15T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-18T21:31:38.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-08T18:46:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T19:06:54.216635Z", "id": "CVE-2025-14937", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:11:15.063Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T19:06:54.216635Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:11:11.507Z"}}], "cna": {"title": "Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via 'update_field'", "credits": [{"lang": "en", "type": "finder", "value": "Paolo Tresso"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "shabti", "product": "Frontend Admin by DynamiApps", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.28.23"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-15T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-18T21:31:38.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-08T18:46:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46c988ff-9cc5-4f2b-a3dd-06eaef5a7919?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3427236/acf-frontend-form-element"}], "descriptions": [{"lang": "en", "value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:53.635Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14937", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:53.635Z", "dateReserved": "2025-12-18T21:15:38.790Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T07:22:10.363Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Frontend Admin by DynamiApps para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'acff' en la acci\u00f3n AJAX 'frontend_admin/forms/update_field' en todas las versiones hasta la 3.28.23, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-14937", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T08:15:57.813", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3427236/acf-frontend-form-element"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46c988ff-9cc5-4f2b-a3dd-06eaef5a7919?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:01:46.111088+00:00", "value": {"mitigation_remediation": ["Upgrade the Frontend Admin plugin to version\u202f3.28.24 or later, which removes the vulnerable parameter handling.", "If an immediate update is not possible, uninstall or disable the plugin to eliminate the exposed AJAX endpoint.", "As a temporary measure, block unauthenticated access to the '/frontend_admin/forms/update_field' URL by adding a WAF rule or restricting the IPs that can reach it, and ensure that output from the plugin is properly escaped."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all versions of the Frontend Admin plugin from DynamiApps up to and including 3.28.23. Any WordPress site that has installed a version in this range and is exposing the AJAX endpoint is at risk.", "description_and_impact": "The Frontend Admin plugin for WordPress is vulnerable to stored cross\u2011site scripting because the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action is not properly sanitized or escaped. An unauthenticated attacker can submit JavaScript that is then stored in the database and will execute whenever a user loads a page containing the modified form field.", "risk_and_exploitability": "With a CVSS score of 7.2 the flaw is considered high severity. The EPSS score of less than 1% suggests that exploit attempts are currently rare, and it is not present in the CISA KEV catalog. Exploitation requires no privileged access; the unauthenticated AJAX endpoint can be accessed by any user, making the attack vector simple via a crafted web request."}}}}, "created": "2026-01-09T13:24:01.808391+00:00", "updated": "2026-04-22T00:15:03.761116+00:00", "vendors": ["dynamiapps", "dynamiapps$PRODUCT$frontend_admin", "wordpress", "wordpress$PRODUCT$wordpress"]}