SB2025042463 - Multiple vulnerabilities in Flynax Bridge plugin for WordPress
Published: April 24, 2025 Updated: May 9, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2025-3604)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to the affected plugin does not properly validate a user's identity prior to updating their details like email. A remote attacker can change arbitrary user's email addresses and and gain access to their account.
2) Unverified Password Change (CVE-ID: CVE-2025-3603)
CWE-ID: CWE-620 - Unverified Password Change
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected plugin does not properly validate a user's identity prior to updating their details like password. A remote attacker can change arbitrary user's passwords and gain access to their account.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/flynax-bridge/flynax-bridge-220-unauthenticated-privilege-escalation-via-account-takeover
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/flynax-bridge/flynax-bridge-220-unauthenticated-privilege-escalation-via-password-update