CVE-2026-7802: Frontend Admin Auth Bypass Vulnerability

CVE-2026-7802 Overview

CVE-2026-7802 is an authorization bypass vulnerability in the Frontend Admin by DynamiApps plugin for WordPress, affecting all versions up to and including 3.29.2. The plugin fails to verify that a user is authorized to modify another user's profile via its Edit-User form. Authenticated attackers with subscriber-level access can overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= parameter. This enables full administrator account takeover through direct password replacement or email-redirect password reset. The flaw is categorized under [CWE-862: Missing Authorization].

Critical Impact

Subscriber-level attackers can take over administrator accounts by overwriting credentials through an unprotected Edit-User form, leading to full WordPress site compromise.

Affected Products

• Frontend Admin by DynamiApps plugin for WordPress — all versions through 3.29.2
• WordPress installations where the plugin's Edit-User form has an empty Roles configuration setting
• Sites exposing the plugin's frontend user-edit form to authenticated low-privileged users

Discovery Timeline

• 2026-05-28 - CVE CVE-2026-7802 published to NVD
• 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-7802

Vulnerability Analysis

The vulnerability resides in the Frontend Admin by DynamiApps plugin's user-edit form handler. The plugin exposes a frontend interface that lets users edit profile data, but it does not validate whether the requesting user is authorized to edit the target identified by the user_id request parameter. Attackers can supply any user_id, including that of an administrator, and the plugin processes the submission as if the attacker owned the account.

When the targeted Edit-User form has an empty Roles configuration setting, the load_data() function does not restrict which accounts can be loaded. Submission then flows through submit.php and user.php action handlers, which write the supplied field values directly to the target user's record. This includes sensitive fields such as user_pass and user_email.

When a non-empty roles list is configured, load_data() sets the user ID to none for users whose roles fall outside the allowed list. This prevents administrators from being targeted through that form and constrains exploitation to misconfigured deployments.

Root Cause

The root cause is missing authorization on the form submission path. The handlers at main/frontend/forms/actions/user.php (lines 565 and 636) and main/frontend/forms/classes/submit.php (lines 110 and 392) do not verify that the authenticated submitter has WordPress capabilities such as edit_user over the target user_id. The plugin relies on form configuration to scope access rather than enforcing per-request capability checks.

Attack Vector

An attacker registers or authenticates as a subscriber-level user on a WordPress site running the affected plugin. The attacker locates a page hosting a Frontend Admin Edit-User form that was deployed without a configured Roles allow-list. The attacker submits the form with a user_id value set to the administrator's ID and supplies a new user_pass or user_email. The plugin overwrites the administrator's credentials, allowing the attacker to log in as administrator or trigger a password reset email redirected to an attacker-controlled address.

No verified exploit code is publicly available. Technical references in the Wordfence Threat Intelligence Report and the plugin source code document the vulnerable code paths.

Detection Methods for CVE-2026-7802

Indicators of Compromise

• Unexpected changes to administrator user_pass, user_email, first_name, or last_name fields in the wp_users table
• HTTP POST requests to pages containing Frontend Admin Edit-User forms with a user_id parameter referencing a privileged account
• Password reset emails directed to unfamiliar addresses shortly after profile submissions from low-privileged accounts
• Administrator logins from new IP addresses or user agents following subscriber activity

Detection Strategies

• Audit wp_users and wp_usermeta tables for recent modifications to administrator accounts and correlate with web access logs
• Inspect web server logs for POST requests carrying a user_id parameter where the submitting session belongs to a non-privileged role
• Monitor WordPress audit logs for profile field changes that originate from frontend form submissions rather than /wp-admin/

Monitoring Recommendations

• Enable a WordPress activity-log plugin to record all user profile changes with the acting user, target user, and source IP
• Alert on any password or email change applied to administrator accounts outside the standard /wp-admin/profile.php workflow
• Track newly registered subscriber accounts that immediately interact with frontend admin form URLs

How to Mitigate CVE-2026-7802

Immediate Actions Required

• Update the Frontend Admin by DynamiApps plugin to a version newer than 3.29.2 once a patched release is published by the vendor
• Configure every Frontend Admin Edit-User form with a non-empty Roles allow-list that excludes administrator and editor roles
• Force password resets for all administrator accounts and review recent administrator email changes
• Disable open user registration if it is not required for site operations

Patch Information

Review the plugin changeset history at the WordPress plugin repository and the Wordfence advisory for the fixed version once available. Apply the upgrade through the WordPress admin Plugins screen or via wp-cli using wp plugin update acf-frontend-form-element.

Workarounds

• Set the Roles configuration field on every Edit-User form to a restrictive list such as subscriber only, preventing the form from loading administrator records
• Remove or unpublish any frontend page hosting a Frontend Admin Edit-User form until a patched plugin version is installed
• Restrict access to pages containing the affected forms using a membership or access-control plugin so only trusted roles can submit them

# Disable the vulnerable plugin until a fix is available
wp plugin deactivate acf-frontend-form-element

# Verify no administrator accounts have been modified recently
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered