Frontend Admin by DynamiApps Privilege Escalation Vulnerability in WordPress

A privilege escalation vulnerability has been identified in the Frontend Admin by DynamiApps plugin for WordPress, affecting versions through 3.28.36. The issue arises from inadequate authorization checks in the role field update process, coupled with overly broad capabilities assigned to the admin_form custom post type. This post type allows editors to create and modify forms. Exploitation involves an editor form user manipulating the role options to include 'administrator' and submitting the form, thereby escalating privileges to administrator.

Impact

Exploitation of this vulnerability allows for unauthorized users to gain administrative privileges on the WordPress site.

Reproduction

To reproduce this vulnerability, an attacker must first register as an editor by using the public 'new_user' form. Once they have editor access, they can create an 'edit_user' form through the admin interface. During the form creation, they can add 'administrator' to the role_options array by submitting modified POST data to 'wp-admin/post.php', bypassing the normal user interface restrictions. After the form is saved, the attacker can submit it, which will trigger the 'pre_update_value()' function in 'class-role.php'. This function will only check if the submitted role is in the role_options array, not if the user has the right to assign that role. As a result, the attacker can successfully change their role to administrator.

Remediation

Users are advised to update the Frontend Admin by DynamiApps plugin to version 3.29.1 or later.