Frontend Admin by DynamiApps PHP Object Injection Vulnerability Allowing Remote Code Execution

A vulnerability allowing PHP object injection via deserialization of the 'post_content' in admin_form posts has been identified in the Frontend Admin by DynamiApps plugin for WordPress. This issue affects all versions through 3.28.31. The vulnerability arises from the use of WordPress's 'maybe_unserialize()' function on user-controllable content without class restrictions, enabling authenticated attackers with Editor-level access or higher to inject a PHP object. The presence of a property-oriented programming chain could allow these attackers to execute remote code.

Impact

Exploitation of this vulnerability could lead to unauthorized PHP object injection, with the potential for remote code execution, depending on the injected object's properties and methods.

Reproduction

To reproduce this vulnerability, an authenticated user with Editor-level access or higher can create or edit an admin_form post. By injecting a crafted PHP object into the 'post_content' field, the 'maybe_unserialize()' function will deserialize the content without proper validation, allowing the object injection to occur. If the injected object can be exploited through a property-oriented programming chain, this could result in remote code execution.

Remediation

Users are advised to update the Frontend Admin by DynamiApps plugin to version 3.28.32 or later, where this vulnerability has been patched.