CVE-2025-3604

The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/request.php	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/935caa43-4c75-47ad-a631-63988e21f834?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:flynax:flynax_bridge:*:*:*:*:*:wordpress:*:*

History

12 Aug 2025, 17:46

Type	Values Removed	Values Added
CPE		cpe:2.3:a:flynax:flynax_bridge::::::wordpress::*
References	~~() https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/request.php -~~	() https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/request.php - Product
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/935caa43-4c75-47ad-a631-63988e21f834?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/935caa43-4c75-47ad-a631-63988e21f834?source=cve - Third Party Advisory
First Time		Flynax Flynax flynax Bridge

29 Apr 2025, 13:52

Type	Values Removed	Values Added
Summary		(es) El complemento Flynax Bridge para WordPress es vulnerable a la escalada de privilegios mediante el robo de cuentas en todas las versiones hasta la 2.2.0 incluida. Esto se debe a que el complemento no valida correctamente la identidad del usuario antes de actualizar sus datos, como el correo electrónico. Esto permite que atacantes no autenticados cambien las direcciones de correo electrónico de usuarios arbitrarios, incluidos los administradores, y aprovechen esta situación para restablecer la contraseña del usuario y acceder a su cuenta.

24 Apr 2025, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-24 09:15

Updated : 2025-08-12 17:46

NVD link : CVE-2025-3604

Mitre link : CVE-2025-3604

CVE.ORG link : CVE-2025-3604

JSON object : View

Products Affected

flynax

flynax_bridge

CWE

CWE-862

Missing Authorization

9.8 /10