Vulnerability Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.2
- https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0faa8f07-88c1-4638-9de
FAQ
What is CVE-2026-3328?
CVE-2026-3328 is a vulnerability with a CVSS score of 7.2 (HIGH). The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31....
How severe is CVE-2026-3328?
CVE-2026-3328 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-3328?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.