CVE-2025-4179: 
WordPress vulnerability analysis and mitigation

The Flynax Bridge plugin for WordPress contains a limited Privilege Escalation vulnerability (CVE-2025-4179) discovered and disclosed on May 1, 2025. The vulnerability affects all versions up to and including 2.2.0, stemming from a missing capability check in the registerUser() function, which allows unauthenticated attackers to create new user accounts with author privileges (NVD, Wiz).

The vulnerability originates from a missing authorization check in the registerUser() function within the API.php file of the Flynax Bridge plugin. The function allows the creation of new user accounts with author privileges without proper authentication verification. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L and is classified as CWE-862: Missing Authorization (NVD, Wiz).

The vulnerability enables unauthenticated attackers to create new user accounts with author privileges on affected WordPress installations. This could lead to unauthorized content publication, modification of existing content, and potential escalation of privileges through additional attack vectors (Wiz).

Website administrators running the Flynax Bridge plugin should update to a version newer than 2.2.0 as soon as it becomes available. Until then, it is recommended to implement additional security measures such as web application firewalls or to consider temporarily disabling the plugin if it's not critical to website operations (Wiz).