A critical vulnerability has been identified in the Frontend Admin by DynamiApps plugin for WordPress, rated with a CVSS score of 9.1. This flaw allows any unauthenticated individual on the internet to delete website content, including pages, posts, products, and even user accounts. Successful exploitation could lead to significant data loss, website disruption, and reputational damage.

The vulnerability exists due to a missing authorization check (capability check) within the 'delete_object' function of the plugin. This function is responsible for deleting various types of data within WordPress. Because the check is missing, an unauthenticated attacker can send a specially crafted request to the website that directly calls this function, allowing them to delete arbitrary posts, pages, e-commerce products, taxonomy terms, and user accounts without needing to log in or have any privileges.

This vulnerability presents a critical risk to the organization, reflected by its CVSS score of 9.1. Exploitation can lead to immediate and severe consequences, including the complete deletion of website content, which could cripple business operations, especially for e-commerce sites relying on product listings. The ability to delete user accounts can disrupt customer access and lead to a loss of trust. The potential for data loss, service disruption, and reputational harm makes this a high-priority issue requiring immediate attention.

Immediate Action: Immediately update The Frontend Admin by DynamiApps plugin for WordPress to the latest version available, which contains the patch for this vulnerability. After updating, review the website's content, posts, pages, and user accounts for any unauthorized deletions that may have already occurred.

Proactive Monitoring: System administrators should monitor web server access logs for unusual or suspicious requests, particularly POST requests to WordPress AJAX endpoints (e.g., admin-ajax.php) that may be attempting to trigger the delete_object function. Implement alerts for rapid or large-scale deletion of content or user accounts.

Compensating Controls: If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) with rules specifically designed to block requests attempting to exploit this vulnerability. As a last resort, temporarily disabling the plugin until it can be safely updated will mitigate the risk.

Public Exploit Available: false

Given the critical severity (CVSS 9.1) and the fact that this vulnerability can be exploited by an unauthenticated attacker, it is strongly recommended that organizations prioritize the immediate patching of the affected plugin. The potential for catastrophic data loss and business disruption is high. Although not currently on the CISA KEV list, the low complexity of attack means it is a prime target for malicious actors, and remediation should be treated with the highest urgency.