CVE-2026-3328
Published: 26 March 2026
Summary
CVE-2026-3328 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the deserialization flaw in the Frontend Admin plugin through patching to version beyond 3.28.31.
Prevents PHP object injection by validating and sanitizing user-controllable post_content in admin_form posts before deserialization with maybe_unserialize().
Limits the attack surface by enforcing least privilege, restricting Editor-level and above access to modifying admin_form post_content only to essential roles.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
PHP object injection (CWE-502) in public-facing WordPress plugin directly enables remote exploitation for RCE; Editor-level auth to full code execution maps to privilege escalation.
NVD Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function…
more
without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
Deeper analysisAI
CVE-2026-3328 is a PHP Object Injection vulnerability in the Frontend Admin by DynamiApps plugin for WordPress, affecting all versions up to and including 3.28.31. The issue arises from the plugin's use of WordPress's `maybe_unserialize()` function without class restrictions when deserializing user-controllable `post_content` in admin_form posts. This flaw, classified under CWE-502 (Deserialization of Untrusted Data), has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-26.
Authenticated attackers with Editor-level access or higher can exploit this vulnerability by injecting a malicious PHP Object into the admin_form post content. The presence of a Property-Oriented Programming (POP) chain in the plugin enables these attackers to achieve remote code execution (RCE) on the targeted WordPress site.
Advisories, including those from Wordfence, reference the vulnerable code in the plugin's `main/admin/admin-pages/forms/settings.php` file at line 419, as shown in the WordPress plugin Trac browser and changeset 3486785. The Wordfence threat intelligence page provides further details on the vulnerability under ID 0faa8f07-88c1-4638-9de5-e202807866e1.
Details
- CWE(s)