{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3328", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-27T14:10:06.693Z", "datePublished": "2026-03-26T02:25:19.630Z", "dateUpdated": "2026-03-26T17:51:16.381Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-26T02:25:19.630Z"}, "affected": [{"vendor": "shabti", "product": "Frontend Admin by DynamiApps", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.28.31", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution."}], "title": "Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0faa8f07-88c1-4638-9de5-e202807866e1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/admin/admin-pages/forms/settings.php#L419"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.27/main/admin/admin-pages/forms/settings.php#L419"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3486785%40acf-frontend-form-element&new=3486785%40acf-frontend-form-element&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502 Deserialization of Untrusted Data", "cweId": "CWE-502", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-02-27T14:25:17.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T14:11:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3328", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T17:36:37.214144Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:51:16.381Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3328", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T17:36:37.214144Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:48:46.633Z"}}], "cna": {"title": "Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "shabti", "product": "Frontend Admin by DynamiApps", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.28.31"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-27T14:25:17.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-25T14:11:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0faa8f07-88c1-4638-9de5-e202807866e1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/admin/admin-pages/forms/settings.php#L419"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.27/main/admin/admin-pages/forms/settings.php#L419"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3486785%40acf-frontend-form-element&new=3486785%40acf-frontend-form-element&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-26T02:25:19.630Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3328", "state": "PUBLISHED", "dateUpdated": "2026-03-26T17:51:16.381Z", "dateReserved": "2026-02-27T14:10:06.693Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-26T02:25:19.630Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution."}], "id": "CVE-2026-3328", "lastModified": "2026-03-26T04:17:11.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-26T04:17:11.663", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.27/main/admin/admin-pages/forms/settings.php#L419"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/admin/admin-pages/forms/settings.php#L419"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3486785%40acf-frontend-form-element&new=3486785%40acf-frontend-form-element&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0faa8f07-88c1-4638-9de5-e202807866e1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.28.31]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "Frontend Admin by DynamiApps", "source": "cna", "vendor": "shabti"}, "product": "frontend_admin_by_dynamapps", "vendor": "shabti"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T04:19:35.498418+00:00", "value": {"mitigation_remediation": ["Update the plugin to the latest version (\u22653.28.32) where the deserialization issue has been fixed.", "If an update cannot be performed immediately, consider disabling the plugin or removing it from the site until a patch is available.", "Restrict user roles to ensure that only trusted administrators have Editor or higher privileges, and prevent non-admin users from creating or editing admin_form posts.", "As a temporary measure, manually sanitize or remove the 'post_content' field in existing admin_form posts, or disable the use of post_content in forms until a fix is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected systems are WordPress sites that have the Frontend Admin by DynamiApps plugin installed at any version up to and including 3.28.31. No specific hardware or OS platform is mentioned; the risk applies to every environment that hosts the vulnerable plugin, regardless of other configurations.", "description_and_impact": "The vulnerability is a PHP Object Injection resulting from the uncontrolled deserialization of the 'post_content' field in admin_form posts. Because the plugin uses WordPress's maybe_unserialize() without class restrictions, an authenticated user with Editor-level permissions can craft a payload that results in a PHP object being instantiated. When combined with a PHP Object Poisoning chain, this allows execution of arbitrary code, effectively granting the attacker remote code execution privileges. This is a serious flaw identified as CWE\u2011502.", "risk_and_exploitability": "With a CVSS score of 7.2 the vulnerability presents a high potential for impact, but its exploitation requires an authenticated role of Editor or higher. The lack of an EPSS score and its absence from the KEV catalog suggest that we currently have no data on active exploitation but the possibility remains. Site administrators should treat this as a high risk and seek a remediation promptly. The attack vector is likely through the plugin\u2019s admin interface, where an attacker can submit a crafted post_content value that triggers the vulnerable deserialization path."}}}}, "created": "2026-03-26T11:30:45.413461+00:00", "updated": "2026-03-26T12:08:46.422099+00:00", "vendors": ["shabti", "shabti$PRODUCT$frontend_admin_by_dynamapps", "wordpress", "wordpress$PRODUCT$wordpress"]}