CVE-2025-3604: 
WordPress vulnerability analysis and mitigation

The Flynax Bridge plugin for WordPress contains a privilege escalation vulnerability via account takeover in all versions up to, and including, 2.2.0. The vulnerability was assigned CVE-2025-3604 and was disclosed on April 24, 2025. The issue affects WordPress installations with the Flynax Bridge plugin installed (NVD).

The vulnerability stems from improper validation of user identity prior to updating user details, specifically email addresses. The plugin fails to implement proper authorization checks when processing user detail updates. This vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level with network accessibility and no required privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to change arbitrary users' email addresses, including those of administrators. Once an attacker changes an administrator's email address, they can leverage WordPress's password reset functionality to gain complete administrative access to the affected website (NVD).

Website administrators running the Flynax Bridge plugin should immediately update to a version newer than 2.2.0 if available, or remove the plugin if no patch is available (NVD).