{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4177", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-01T12:36:50.385Z", "datePublished": "2025-05-02T01:43:36.565Z", "dateUpdated": "2026-04-08T17:27:51.988Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:51.988Z"}, "affected": [{"vendor": "v1rustyle", "product": "Flynax Bridge", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users."}], "title": "Flynax Bridge <= 2.2.0 - Unauthenticated Arbitrary User Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dcb33d02-d384-4dff-91e1-c49e86b97d6e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/src/API.php#L386"}, {"url": "https://plugins.trac.wordpress.org/changeset/3306501/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-05-01T12:37:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-02T17:26:42.634243Z", "id": "CVE-2025-4177", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T17:27:11.361Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4177", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-02T17:26:42.634243Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T17:27:03.583Z"}}], "cna": {"title": "Flynax Bridge <= 2.2.0 - Unauthenticated Arbitrary User Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "v1rustyle", "product": "Flynax Bridge", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-01T12:37:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dcb33d02-d384-4dff-91e1-c49e86b97d6e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/src/API.php#L386"}, {"url": "https://plugins.trac.wordpress.org/changeset/3306501/"}], "descriptions": [{"lang": "en", "value": "The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:51.988Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4177", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:27:51.988Z", "dateReserved": "2025-05-01T12:36:50.385Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-02T01:43:36.565Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flynax:flynax_bridge:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F761DE48-B834-4006-8045-6CB005EB29EC", "versionEndIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users."}, {"lang": "es", "value": "El complemento Flynax Bridge para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a la falta de comprobaci\u00f3n de la funci\u00f3n deleteUser() en todas las versiones hasta la 2.2.0 incluida. Esto permite que atacantes no autenticados eliminen usuarios arbitrarios."}], "id": "CVE-2025-4177", "lastModified": "2026-04-08T19:24:07.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-02T03:15:21.397", "references": [{"source": "security@wordfence.com", "tags": ["Product", "Technical Description"], "url": "https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/src/API.php#L386"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3306501/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dcb33d02-d384-4dff-91e1-c49e86b97d6e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:00:48.290667+00:00", "value": {"mitigation_remediation": ["Update the Flynax Bridge plugin to the latest release that removes the missing capability check.", "If a patch is not available, restrict access to the deleteUser API endpoint so that only authenticated users can invoke it, for example by adding access control rules in the web server or through .htaccess.", "If the plugin\u2019s functionality is no longer required, deactivate or uninstall it and audit existing accounts for unintended deletions."], "summary": {"action": "Apply Patch", "impact": "Account Deletion"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the Flynax Bridge plugin enabled and running a version up through 2.2.0 are affected. The vulnerability exists in every release up to that point.", "description_and_impact": "The Flynax Bridge plugin for WordPress lacks a required capability check on its deleteUser() function. This flaw allows an attacker who does not need to be logged in to call the function and remove any user account from the site. Deleting accounts can lead to loss of privileged access, disabling of legitimate users, and potential data loss or denial of services.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.3, indicating medium risk. An EPSS score of less than 1% shows a very low probability of exploitation in the wild, and the vulnerability is not listed in CISA\u2019s KEV catalog. Nonetheless, because the flaw permits unauthenticated deletion of any account, an attacker could craft an HTTP request to the plugin\u2019s API endpoint and trigger deleteUser without needing credentials."}}}}, "created": "2026-04-21T21:15:45.442047+00:00", "updated": "2026-04-21T21:15:45.442079+00:00", "vendors": []}