Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Infosec News Nuggets — July 15, 2026 – AboutDFIR

    July 15, 2026

    Helping small businesses with free, hands-on cyber consultancy

    July 15, 2026

    US charges alleged operators of Russian bulletproof hosting service

    July 15, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»Alerts»CVE-2026-6226 | THREATINT
    Alerts

    CVE-2026-6226 | THREATINT

    adminBy adminMay 28, 2026No Comments1 Min Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Home

    Description

    The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST[‘_acf_form’] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action’s run() function falls back to attacker-controlled field definitions from $form[‘fields’] when legitimate fields cannot be found. The role field’s pre_update_value() validation reads $field[‘role_options’] from this attacker-controlled definition, allowing an attacker to specify [‘administrator’] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.

    PUBLISHED Reserved 2026-04-13 | Published 2026-05-28 | Updated 2026-05-28 | Assigner Wordfence

    HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Problem types

    CWE-269 Improper Privilege Management

    Product status

    Default status
    unaffected

    Any version
    affected

    Timeline

    2026-04-13: Vendor Notified
    2026-05-27: Disclosed

    Credits

    daroo finder

    References

    www.wordfence.com/…-3384-4ea7-96dd-d6adcce40392?source=cve

    plugins.trac.wordpress.org/…end/fields/user/class-role.php

    plugins.trac.wordpress.org/…end/fields/user/class-role.php

    plugins.trac.wordpress.org/…rontend/forms/actions/user.php

    plugins.trac.wordpress.org/…rontend/forms/actions/user.php

    plugins.trac.wordpress.org/…ntend/forms/classes/submit.php

    plugins.trac.wordpress.org/…ntend/forms/classes/submit.php

    plugins.trac.wordpress.org/…tend/forms/classes/display.php

    plugins.trac.wordpress.org/…tend/forms/classes/display.php

    plugins.trac.wordpress.org/…-element&sfp_email=&sfph_mail=

    cve.org (CVE-2026-6226)

    nvd.nist.gov (CVE-2026-6226)

    Download JSON



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleSextortionist sentenced to 33 years for targeting 145 children
    Next Article CVE-2026-46241 | THREATINT
    admin
    • Website

    Related Posts

    Alerts

    CISA Adds One Known Exploited Vulnerability to Catalog

    June 12, 2026
    Alerts

    FreePBX security advisory (AV26–596) – Canadian Centre for Cyber Security

    June 12, 2026
    Alerts

    SSA-879734 V1.0: Multiple Vulnerabilities in SCALANCE XM-400/XR-500 before V6.6.1

    June 12, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Our Picks

    Infosec News Nuggets — July 15, 2026 – AboutDFIR

    July 15, 2026

    Helping small businesses with free, hands-on cyber consultancy

    July 15, 2026

    US charges alleged operators of Russian bulletproof hosting service

    July 15, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.