Frontend Admin by DynamiApps WordPress Plugin Authorization Bypass Vulnerability Allowing Admin Account Takeover

A vulnerability allowing authorization bypass has been identified in the Frontend Admin by DynamiApps plugin for WordPress, affecting all versions up to and including 3.29.2. The issue arises because the plugin fails to properly verify user authorization for certain actions. This flaw enables authenticated attackers with subscriber-level access or higher to overwrite an administrator's password, email, and other profile details by manipulating the user ID parameter. Exploitation could lead to complete takeover of the administrator's account, either by directly changing the password or by using an email-based password reset. To successfully exploit this vulnerability, the targeted Edit-User form must have its 'Roles' setting left empty; a filled roles list would prevent the attack by setting the user ID to 'none' for non-compliant roles, thus blocking access to the administrator.

Impact

Successful exploitation allows authenticated users to bypass authorization checks and modify administrator user details, including the password and email, leading to unauthorized access to the admin account.

Reproduction

To reproduce this vulnerability, an authenticated user with a role of subscriber or higher can send a request to the Edit-User form with a custom user ID value. If the form's Roles setting is empty, the request will be processed without proper authorization, allowing the attacker to change the admin's password or email. After the update, the attacker can either log in with the new password or use the email to reset the password and gain access to the admin account.

Remediation

Users are advised to update the Frontend Admin by DynamiApps WordPress plugin to version 3.29.3 or later, where this vulnerability has been fixed.