CVE-2026-3328 in Frontend Admin by DynamiApps Plugininfo

Summary

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Responsible

Wordfence

Reservation

02/27/2026

Disclosure

03/26/2026

Status

Confirmed

Entries

VulDB provides additional information and datapoints for this CVE:

ID	Vulnerability	CWE	Exp	Cou	CVE
353515	shabti Frontend Admin by DynamiApps Plugin post_content deserialization	502	Not defined	Official fix	CVE-2026-3328

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

◂ PreviousOverviewNext ▸

Do you know our Splunk app?

Download it now for free!