CVE-2025-3604 CRITICAL

CVE-2025-3604: Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Account Takeover

Vendor V1Rustyle

Product Flynax Bridge

Weakness CWE-862 · Missing authorization

Published April 24, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Key dates

02Disclosure timeline

April 24, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-3604 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-12370 Takeads <= 1.0.13 - Missing Authorization to Plugin Settings Deletion CVE-2025-49998 WordPress WooCommerce Fortnox Integration plugin <= 4.5.5 - Broken Access Control Vulnerability CVE-2025-14854 WP-CRM System – Manage Clients and Projects <= 3.4.5 - Missing Authorization to Authenticated (Subscriber+) CRM Data Exposure and Task Modification CVE-2025-27000 WordPress Simple Photo Feed Plugin <= 1.4.0 - Broken Access Control vulnerability CVE-2025-3124 Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized access to private repository names