CVE-2025-14736
Published: 09 January 2026
Summary
CVE-2025-14736 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 46.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-14736 is a privilege escalation vulnerability in the Frontend Admin by DynamiApps plugin for WordPress, affecting all versions up to and including 3.28.29. The issue arises from insufficient validation of user-supplied role values in the plugin's 'validate_value', 'pre_update_value', and 'get_fields_display' functions, specifically within the user role field handling code. Published on 2026-01-09, it is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management).
Unauthenticated attackers can exploit this vulnerability if they have access to a user registration form containing a Role field on the targeted site. By manipulating the role value during registration, they can assign themselves administrator privileges, achieving complete control over the WordPress site, including full read, write, and execution capabilities.
Patches addressing this vulnerability are available in WordPress plugin trac changesets, including https://plugins.trac.wordpress.org/changeset/3427243/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php and https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3472098%40acf-frontend-form-element&new=3472098%40acf-frontend-form-element&sfp_email=&sfph_mail=. Additional details are provided in Wordfence's threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/07eb71fc-6588-490d-8947-3077ec4a9045?source=cve. Security practitioners should update the plugin beyond version 3.28.29 and review sites for exposed registration forms with Role fields.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1804
Vulnerability details
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.29. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes…
more
it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated exploitation of public-facing WordPress plugin registration form to escalate privileges via role manipulation (CWE-269).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied inputs such as role values in registration forms to prevent improper privilege escalation.
Mandates identification, reporting, and correction of flaws like the insufficient validation in the plugin's user role handling functions.
Ensures user accounts and privileges, including administrator roles, are created and modified only through authorized and validated processes.