CRITICAL🇵🇱 Wersja polska

CVE-2024-3729

CVSS 9.8v3.1pub. 2024-05-02upd. 2026-04-08

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'fea_encrypt' function in all versions up to, and including, 3.19.4. This makes it possible for unauthenticated attackers to manipulate the user processing forms, which can be used to add and edit administrator user for privilege escalation, or to automatically log in users for authentication bypass, or manipulate the post processing form that can be used to inject arbitrary web scripts. This can only be exploited if the 'openssl' php extension is not loaded on the server.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of the missing PHP 'openssl' extension by the 'fea_encrypt' function. When the 'openssl' extension is not loaded on the server, an attacker can manipulate forms that process users and posts. This allows creating or editing accounts with administrator privileges, automatic login as any user (authentication bypass), and injecting arbitrary web scripts in post processing forms (XSS). A necessary condition for exploiting the vulnerability is the absence of the 'openssl' extension loaded in the PHP server configuration.

Impact

An unauthenticated attacker can gain full administrative access to the WordPress site (privilege escalation), log in as any user (authentication bypass), or inject and execute malicious web scripts (XSS) leading to further compromise of the service.

Mitigation & patch

The Frontend Admin plugin by DynamiApps should be updated to a version higher than 3.19.4 according to the manufacturer's references. Additionally, it is recommended to ensure that the PHP 'openssl' extension is loaded on the server, which eliminates the necessary condition for exploiting this vulnerability.

Who is affected

Frontend Admin by DynamiApps plugin for WordPress, all versions up to and including 3.19.4, when the PHP 'openssl' extension is not loaded on the server.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dynamiapps Frontend Admin

    APP
    Dynamiapps
    < 3.19.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassLPE
CWE
References

Related vulnerabilities

CVE-2023-51411CRITICAL10.0PL ✓ten sam produkt

Nieuwierzytelniony upload dowolnych plików w WordPress Frontend Admin by DynamiApps

CVE-2025-26987HIGH7.1ten sam produkt

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shabti K...

CVE-2024-11720HIGH7.2ten sam produkt

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via submiss...

CVE-2024-11721HIGH8.1ten sam produkt

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation in all versions up...

CVE-2024-11722MEDIUM5.9ten sam produkt

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to SQL Injection via the 'orderby' paramet...