CVE-2025-4177: 
WordPress vulnerability analysis and mitigation

The Flynax Bridge plugin for WordPress contains a vulnerability (CVE-2025-4177) that affects all versions up to and including 2.2.0. The vulnerability was discovered and disclosed on May 1, 2025, and stems from a missing capability check in the deleteUser() function, which allows unauthenticated attackers to delete arbitrary users from WordPress installations (NVD, Wiz).

The vulnerability is classified as a Missing Authorization issue (CWE-862) and is located in the deleteUser() function at line 386 in the API.php file of the Flynax Bridge plugin. The function lacks proper authentication checks before executing user deletion operations. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to delete any user account from the WordPress installation. This can lead to denial of service for affected users and potential disruption of website operations by removing administrative or critical user accounts (Wiz).

Users of the Flynax Bridge plugin should immediately update to a version newer than 2.2.0 if available, or consider disabling the plugin until a patch is released. Website administrators should also monitor their user accounts for any unauthorized deletions (Wiz).