Description
The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Published: 2025-04-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Account Takeover leading to unauthorized access to administrative accounts
Action: Immediate Patch
AI Analysis

Impact

The Flynax Bridge plugin for WordPress fails to validate a user’s identity before allowing changes to account details such as email addresses. Unauthenticated attackers can alter an arbitrary user’s email, including administrators, and then trigger a password reset process to gain access to that account. This flaw permits full control over any user profile, effectively enabling an attacker to compromise the administrative layer of the site. The core weakness follows CWE‑862: Missing Permissions Check.

Affected Systems

The vulnerability affects the Flynax Bridge plugin for WordPress versions 2.2.0 and earlier. Vendor‑identified product is Flynax Bridge; any deployment of the plugin in these versions is impacted.

Risk and Exploitability

With a CVSS score of 9.8 the issue is classified as Critical, indicating a high impact if exploited. The EPSS score of less than 1% suggests that exploit scenarios are currently uncommon, but the flaw remains accessible without authentication, implying a straightforward attack path. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attackers could exploit this by sending crafted HTTP requests to the request.php endpoint that bypasses authentication checks. No special privileges or system access are required to initiate the attack, making it a low‑barrier threat for any attacker with network access to the site.

Generated by OpenCVE AI on April 22, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flynax Bridge to a version newer than 2.2.0 or uninstall the plugin if upgrade is not feasible
  • Configure the web server or security plugin to block unauthenticated access to the request.php endpoint or similar interfaces that allow email updates
  • Enable two‑factor authentication for all administrative accounts and monitor account activity for unauthorized changes

Generated by OpenCVE AI on April 22, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12128 The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Tue, 12 Aug 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Flynax
Flynax flynax Bridge
CPEs cpe:2.3:a:flynax:flynax_bridge:*:*:*:*:*:wordpress:*:*
Vendors & Products Flynax
Flynax flynax Bridge

Thu, 24 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Title Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Account Takeover
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Flynax Flynax Bridge
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:39.913Z

Reserved: 2025-04-14T19:34:06.967Z

Link: CVE-2025-3604

cve-icon Vulnrichment

Updated: 2025-04-24T13:56:49.461Z

cve-icon NVD

Status : Modified

Published: 2025-04-24T09:15:31.537

Modified: 2026-04-08T18:24:43.243

Link: CVE-2025-3604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:45:05Z

Weaknesses