HarborGuard / CVE
Back to search
HIGHCVE-2026-7802Published Modified CNA Wordfence

CVE-2026-7802: Frontend Admin by DynamiApps <= 3.29.2 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via 'user_id' URL Query Parameter

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= value, enabling full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have its 'Roles' configuration setting left empty; when a non-empty roles list is configured, load_data() sets the user ID to 'none' for users whose roles fall outside the allowed list, preventing administrators from being targeted through that form.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Missing authorization in the Frontend Admin by DynamiApps plugin for WordPress (versions up to and including 3.29.2) allows any authenticated attacker with a subscriber-level account to take over administrator accounts. The vulnerability is reachable over the network and requires no elevated privileges, only a valid low-privilege login. A successful exploit gives the attacker full control of the targeted admin account by overwriting its password or email address, granting complete access to the WordPress site. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-7802 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including Wordfence) within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle this plugin. Coverage extends to any image layer where the affected plugin files are present.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 HIGH and surfacing it with that severity weight applied against each environment's compliance policy. Per-organization routing rules can direct the alert to the appropriate team inbox based on severity threshold, affected workload tags, or custom policy configuration.

Available
Patch

Because no upstream fix version has been published for CVE-2026-7802, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released by the plugin author. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the WordPress application over the network; the plugin endpoint is exposed via standard HTTP/HTTPS requests.

  • AuthenticationRequired

    A valid WordPress account is required, but any low-privilege role (subscriber or above) is sufficient; no elevated or admin credentials are needed.

  • Victim interactionNot required

    The attacker submits a crafted request directly; no action from an administrator or any other user is needed to trigger the authorization bypass.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the targeted Edit-User form has its Roles setting left empty, which is noted in the description as the default-risk configuration; no race conditions or special memory layout are involved.

Blast Radius

  • Attacker overwrites the target administrator's password directly, gaining immediate login access to the WordPress admin dashboard.
  • Attacker replaces the administrator's email address and triggers a password-reset flow, redirecting the reset link to an attacker-controlled address.
  • With admin-level access, the attacker reads all stored site content, user records, and any credentials or tokens held in the WordPress database.
  • With admin-level access, the attacker installs or modifies plugins and themes, enabling arbitrary code execution on the underlying server.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored on every ingest cycle because no upstream fix has been published as of the CVE publication date. Until the plugin author ships a patched release, compensating controls are strongly advised: restrict network access to WordPress admin and frontend-form endpoints using container network policies or ingress rules that limit the attack surface to known IP ranges; audit all deployed Edit-User form configurations to confirm the Roles field is non-empty, which prevents administrators from being targeted through that form per the vulnerability description; and consider feature-flag gating or disabling the affected Frontend Admin forms in high-risk environments. Where compliance policy permits, HarborGuard will automatically trigger a patched-image rebuild, regression run, and PR against affected workloads as soon as a fix version is published upstream, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes for environments with auto-remediation enabled.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • shabti / Frontend Admin by DynamiApps
    ≤ 3.29.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References