CVE-2025-4177

The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/src/API.php#L386	Product Technical Description
https://www.wordfence.com/threat-intel/vulnerabilities/id/dcb33d02-d384-4dff-91e1-c49e86b97d6e?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:flynax:flynax_bridge:*:*:*:*:*:wordpress:*:*

History

06 May 2025, 15:40

Type	Values Removed	Values Added
Summary		(es) El complemento Flynax Bridge para WordPress es vulnerable a la pérdida no autorizada de datos debido a la falta de comprobación de la función deleteUser() en todas las versiones hasta la 2.2.0 incluida. Esto permite que atacantes no autenticados eliminen usuarios arbitrarios.
References	~~() https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/src/API.php#L386 -~~	() https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/src/API.php#L386 - Product, Technical Description
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/dcb33d02-d384-4dff-91e1-c49e86b97d6e?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/dcb33d02-d384-4dff-91e1-c49e86b97d6e?source=cve - Third Party Advisory
First Time		Flynax Flynax flynax Bridge
CPE		cpe:2.3:a:flynax:flynax_bridge::::::wordpress::*

02 May 2025, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-02 03:15

Updated : 2025-05-06 15:40

NVD link : CVE-2025-4177

Mitre link : CVE-2025-4177

CVE.ORG link : CVE-2025-4177

JSON object : View

Products Affected

flynax

flynax_bridge

CWE

CWE-862

Missing Authorization

{"id": "CVE-2025-4177", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-05-02T03:15:21.397", "references": [{"url": "https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/src/API.php#L386", "tags": ["Product", "Technical Description"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dcb33d02-d384-4dff-91e1-c49e86b97d6e?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users."}, {"lang": "es", "value": "El complemento Flynax Bridge para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a la falta de comprobaci\u00f3n de la funci\u00f3n deleteUser() en todas las versiones hasta la 2.2.0 incluida. Esto permite que atacantes no autenticados eliminen usuarios arbitrarios."}], "lastModified": "2025-05-06T15:40:15.200", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:flynax:flynax_bridge:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "F761DE48-B834-4006-8045-6CB005EB29EC", "versionEndIncluding": "2.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}