CVE-2025-4177 MEDIUM

CVE-2025-4177: Flynax Bridge <= 2.2.0 - Unauthenticated Arbitrary User Deletion

Vendor V1Rustyle

Product Flynax Bridge

Weakness CWE-862 · Missing authorization

Published May 2, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users.

Key dates

02Disclosure timeline

May 2, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-4177 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2021-21246 Pre-Auth Access token leak CVE-2025-14155 Premium Addons for Elementor <= 4.11.53 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'get_template_content' CVE-2024-55876 XWiki's scheduler in subwiki allows scheduling operations for any main wiki user CVE-2026-28254 Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge CVE-2025-53288 WordPress PlatiOnline Payments plugin <= 7.0.0 - Broken Access Control vulnerability