Description
The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Published: 2025-04-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Unauthenticated Password Reset
Action: Immediate Upgrade
AI Analysis

Impact

The Flynax Bridge plugin for WordPress contains a flaw that allows an unauthenticated attacker to reset any user's password, including administrators. The plugin fails to verify that the requestor is the legitimate account owner before applying the password change, enabling an attacker to assume control of any account. This results in full account takeover and can lead to further compromise of the site.

Affected Systems

All users of the Flynax Bridge WordPress plugin with versions 2.2.0 or earlier are affected. The vulnerability is present in the B2B marketplace bridge component distributed under the Flynax brand. No specific host or OS constraints are listed, indicating the issue is confined to the plugin within any WordPress installation that enables it.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, denoting critical severity, but its EPSS score of less than 1% indicates a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers need no credentials or special conditions; an unauthenticated user can trigger the password reset by crafting a request to the vulnerable endpoint, making the attack vector straightforward and the potential damage severe due to full credential compromise.

Generated by OpenCVE AI on April 20, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Flynax Bridge documentation or vendor site for a patched version that addresses the password validation issue and install it as soon as possible.
  • If a patch is unavailable, employ a temporary workaround by restricting access to the password reset endpoint with server‑side authentication or IP whitelisting, limiting it to trusted administrators.
  • Enable strict Password Policy enforcement in WordPress and consider implementing two‑factor authentication on all administrative accounts to mitigate the impact of any remaining credential compromise.

Generated by OpenCVE AI on April 20, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12124 The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 12 Aug 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Flynax
Flynax flynax Bridge
CPEs cpe:2.3:a:flynax:flynax_bridge:*:*:*:*:*:wordpress:*:*
Vendors & Products Flynax
Flynax flynax Bridge

Thu, 24 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Title Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Password Update
Weaknesses CWE-620
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Flynax Flynax Bridge
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:22.853Z

Reserved: 2025-04-14T19:32:11.722Z

Link: CVE-2025-3603

cve-icon Vulnrichment

Updated: 2025-04-24T13:04:03.822Z

cve-icon NVD

Status : Modified

Published: 2025-04-24T09:15:31.367

Modified: 2026-04-08T19:24:03.150

Link: CVE-2025-3603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses