CRITICAL🇵🇱 Wersja polska

CVE-2025-3603

CVSS 9.8v3.1pub. 2025-04-24upd. 2026-04-08

The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

🤖 AI Analysis
How it works

The plugin does not properly verify user identity before performing updates to user data, particularly the password. An unauthenticated attacker can make an appropriate request to the request.php file, providing the target user's identifier and a new password. The lack of identity validation (CWE-620 — Unverified Password Change) causes the password change to be accepted by the system.

Impact

An attacker can change the password of any WordPress user, including administrators, and then log into the compromised account to gain full control of the website.

Mitigation & patch

Update the Flynax Bridge plugin to a version higher than 2.2.0, in accordance with the fix available in changeset 3306501 in the WordPress Plugins repository. Until the update is applied, it is recommended to deactivate the plugin.

Who is affected

Flynax Bridge plugin for WordPress in all versions up to and including 2.2.0.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Flynax Bridge

    APP
    Flynax
    ≤ 2.2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassLPE
CWE
References

Related vulnerabilities

CVE-2025-3604CRITICAL9.8PL ✓ten sam produkt

Flynax Bridge dla WordPress — przejęcie konta przez zmianę adresu e-mail

CVE-2025-4179HIGH7.3ten sam produkt

The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capabili...

CVE-2025-4177MEDIUM5.3ten sam produkt

The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability ...