CRITICAL🇵🇱 Wersja polska

CVE-2025-3604

CVSS 9.8v3.1pub. 2025-04-24upd. 2026-04-08

The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

🤖 AI Analysis
How it works

The plugin does not properly verify user identity before updating user data, including email address. An unauthenticated attacker can change the email address of any account — including administrator accounts. After changing the email address, the attacker initiates the standard password reset procedure, which sends a reset link to the newly set address, allowing them to ultimately take full control of the account.

Impact

An attacker can take over a WordPress administrator account, gaining full access to the website, including the ability to install plugins, modify content, and escalate privileges to administrator level (privilege escalation).

Mitigation & patch

Update the Flynax Bridge plugin to a version higher than 2.2.0. According to the available changeset, the fix was introduced in the plugin repository (changeset 3306501). Apply patches available from the vendor according to the references.

Who is affected

The Flynax Bridge plugin for WordPress in all versions up to and including 2.2.0.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Flynax Bridge

    APP
    Flynax
    ≤ 2.2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassLPE
CWE
References

Related vulnerabilities

CVE-2025-3603CRITICAL9.8PL ✓ten sam produkt

Flynax Bridge dla WordPress — privilege escalation przez przejęcie konta

CVE-2025-4179HIGH7.3ten sam produkt

The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capabili...

CVE-2025-4177MEDIUM5.3ten sam produkt

The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability ...