CVE-2024-3729
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'fea_encrypt' function in all versions up to, and including, 3.19.4. This makes it possible for unauthenticated attackers to manipulate the user processing forms, which can be used to add and edit administrator user for privilege escalation, or to automatically log in users for authentication bypass, or manipulate the post processing form that can be used to inject arbitrary web scripts. This can only be exploited if the 'openssl' php extension is not loaded on the server.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| shabti | Frontend Admin by DynamiApps | 0 <= 3.19.4 | affected |
Weaknesses
- CWE-636: CWE-636 Not Failing Securely ('Failing Open')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
CVE Program Container
Additional References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a2d22c5d-5ef5-4920-a1b5-e8284394c7e8?source=cve
- https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.18.15/main/helpers.php#L617
- https://plugins.trac.wordpress.org/changeset/3073379/acf-frontend-form-element#file4
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a2d22c5d-5ef5-4920-a1b5-e8284394c7e8?source=cve
- https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.18.15/main/helpers.php#L617
- https://plugins.trac.wordpress.org/changeset/3073379/acf-frontend-form-element#file4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.