Description
The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users.
Published: 2025-05-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account Deletion
Action: Apply Patch
AI Analysis

Impact

The Flynax Bridge plugin for WordPress lacks a required capability check on its deleteUser() function. This flaw allows an attacker who does not need to be logged in to call the function and remove any user account from the site. Deleting accounts can lead to loss of privileged access, disabling of legitimate users, and potential data loss or denial of services.

Affected Systems

WordPress installations that have the Flynax Bridge plugin enabled and running a version up through 2.2.0 are affected. The vulnerability exists in every release up to that point.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating medium risk. An EPSS score of less than 1% shows a very low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, because the flaw permits unauthenticated deletion of any account, an attacker could craft an HTTP request to the plugin’s API endpoint and trigger deleteUser without needing credentials.

Generated by OpenCVE AI on April 21, 2026 at 21:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Flynax Bridge plugin to the latest release that removes the missing capability check.
  • If a patch is not available, restrict access to the deleteUser API endpoint so that only authenticated users can invoke it, for example by adding access control rules in the web server or through .htaccess.
  • If the plugin’s functionality is no longer required, deactivate or uninstall it and audit existing accounts for unintended deletions.

Generated by OpenCVE AI on April 21, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12804 The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 06 May 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Flynax
Flynax flynax Bridge
CPEs cpe:2.3:a:flynax:flynax_bridge:*:*:*:*:*:wordpress:*:*
Vendors & Products Flynax
Flynax flynax Bridge

Fri, 02 May 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 02 May 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users.
Title Flynax Bridge <= 2.2.0 - Unauthenticated Arbitrary User Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Flynax Flynax Bridge
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:51.988Z

Reserved: 2025-05-01T12:36:50.385Z

Link: CVE-2025-4177

cve-icon Vulnrichment

Updated: 2025-05-02T17:27:03.583Z

cve-icon NVD

Status : Modified

Published: 2025-05-02T03:15:21.397

Modified: 2026-04-08T19:24:07.553

Link: CVE-2025-4177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses