PT-2026-28193 · Dynamiapps+1 · Frontend Admin+1
Published
2026-03-26
·
Updated
2026-03-26
·
CVE-2026-3328
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Frontend Admin by DynamiApps plugin for WordPress versions prior to 3.28.32
Description
The Frontend Admin by DynamiApps plugin for WordPress is susceptible to PHP Object Injection through the deserialization of the
post content within admin form posts. This is a result of utilizing WordPress's maybe unserialize() function without implementing class restrictions on user-controllable content stored in the admin form post content. This allows authenticated attackers with Editor-level access or higher to inject a PHP Object. The presence of a PHP Object Payload (POP) chain enables attackers to achieve remote code execution.Recommendations
Update the Frontend Admin by DynamiApps plugin to version 3.28.32 or later.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Frontend Admin
Wordpress