SB2025042463 - Multiple vulnerabilities in Flynax Bridge plugin for WordPress
Published: April 24, 2025 Updated: May 9, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2025-3604)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to the affected plugin does not properly validate a user's identity prior to updating their details like email. A remote attacker can change arbitrary user's email addresses and and gain access to their account.
2) Unverified Password Change (CVE-ID: CVE-2025-3603)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected plugin does not properly validate a user's identity prior to updating their details like password. A remote attacker can change arbitrary user's passwords and gain access to their account.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/flynax-bridge/flynax-bridge-220-unauthenticated-privilege-escalation-via-account-takeover
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/flynax-bridge/flynax-bridge-220-unauthenticated-privilege-escalation-via-password-update