WordPress Admin Form Plugin Privilege Escalation via Role Manipulation

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 3.28.36. This is due to insufficient authorization checks in the role field update mechanism combined with overly permissive capabilities for the admin_form post type. The admin_form custom post type uses 'capability_type' => 'page', which grants editors the ability to create and edit forms. When an editor creates an edit_user form, they can manipulate the form configuration to include 'administrator' in the role_options array by directly submitting POST data to wp-admin/post.php, bypassing the UI restrictions in feadmin_get_user_roles(). When the form is subsequently submitted, the pre_update_value() function in class-role.php only validates that the submitted role exists in the form's role_options array (lines 107-110), but fails to verify that the current user has permission to assign that specific role. This makes it possible for unauthenticated attackers to f

Casky was already ahead

This CVE exploits attack patterns that Casky's 203matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

The Frontend Admin by DynamiApps plugin for WordPress contains a critical privilege escalation vulnerability (CVE-2026-6228, CVSS 8.8) affecting versions through 3.28.36. The flaw stems from insufficient authorization checks in the role field update mechanism combined with overly permissive capabilities assigned to the admin_form custom post type. By setting 'capability_type' => 'page', the plugin grants editor-level users the ability to create and edit forms. When a malicious editor creates an edit_user form, they can manipulate the form configuration to escalate their own privileges or modify other user roles, effectively bypassing WordPress's core role-based access control (RBAC) system. This vulnerability affects any WordPress installation using this plugin, particularly those with multiple editor accounts or untrusted editorial staff.

Casky's 203 mapped security skills detect the attack patterns behind this privilege escalation through Claude AI's extended reasoning across MITRE ATT&CK technique TA0004 (Privilege Escalation). Practitioners using Casky would identify detection signals including: suspicious admin_form post type creation by non-admin users, unauthorized modifications to the role field parameters, anomalous user role changes originating from form submission endpoints, and capability checks that fail to properly validate editor-level restrictions on user manipulation functions. The platform's skill coverage would flag the root cause—insufficient authorization validation in capability_type assignments—and correlate it with indicators of post-type permission abuse, enabling security teams to pinpoint compromised editor accounts and trace lateral privilege escalation attempts before full administrative access is achieved.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

203 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-6228.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-office365-audit-logs-for-compromise

cloud security · low

Run

MITRE ATT&CK Techniques

TA0004

Investigate the attack patterns behind CVE-2026-6228

Casky has 203 skills that investigate the attack patterns behind CVE-2026-6228. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn