CVE-2026-10039

Name of the Vulnerable Software and Affected Versions Frontend Admin by DynamiApps versions prior to 3.28.29

Description The plugin is subject to generic SQL Injection, which occurs when an application fails to properly sanitize or escape user-supplied data before including it in a database query. Authenticated attackers with administrator-level access or higher can append additional SQL queries to extract sensitive information from the database. This is possible via the order parameter, provided that a valid orderby parameter is also supplied in the same request to reach the vulnerable code path.

Recommendations Update the plugin to a version later than 3.28.28. As a temporary mitigation, restrict access to the order parameter in the affected functionality.