{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4179", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-01T12:40:24.882Z", "datePublished": "2025-05-02T01:43:35.815Z", "dateUpdated": "2026-04-08T17:12:36.062Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:36.062Z"}, "affected": [{"vendor": "v1rustyle", "product": "Flynax Bridge", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capability check on the registerUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to register new user accounts as authors."}], "title": "Flynax Bridge <= 2.2.0 - Unauthenticated Limited Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2447cf4-0261-4ef2-98ec-98fa02dc8b87?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/src/API.php#L288"}, {"url": "https://plugins.trac.wordpress.org/changeset/3306501/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-05-01T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-02T17:33:30.447813Z", "id": "CVE-2025-4179", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T17:37:18.152Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4179", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-02T17:33:30.447813Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T17:37:13.669Z"}}], "cna": {"title": "Flynax Bridge <= 2.2.0 - Unauthenticated Limited Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}}], "affected": [{"vendor": "v1rustyle", "product": "Flynax Bridge", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-01T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2447cf4-0261-4ef2-98ec-98fa02dc8b87?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/src/API.php#L288"}, {"url": "https://plugins.trac.wordpress.org/changeset/3306501/"}], "descriptions": [{"lang": "en", "value": "The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capability check on the registerUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to register new user accounts as authors."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:36.062Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4179", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:12:36.062Z", "dateReserved": "2025-05-01T12:40:24.882Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-02T01:43:35.815Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flynax:flynax_bridge:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F761DE48-B834-4006-8045-6CB005EB29EC", "versionEndIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capability check on the registerUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to register new user accounts as authors."}, {"lang": "es", "value": "El complemento Flynax Bridge para WordPress es vulnerable a una escalada de privilegios limitada debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n registerUser() en todas las versiones hasta la 2.2.0 incluida. Esto permite que atacantes no autenticados registren nuevas cuentas de usuario como autores."}], "id": "CVE-2025-4179", "lastModified": "2026-04-08T19:24:07.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-02T03:15:21.540", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/src/API.php#L288"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3306501/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2447cf4-0261-4ef2-98ec-98fa02dc8b87?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:03:27.778420+00:00", "value": {"mitigation_remediation": ["Update the Flynax Bridge plugin to any version newer than 2.2.0 to remove the missing capability check.", "If updating immediately is not possible, temporarily disable the public registration endpoint of the plugin or restrict account creation to administrators only.", "Configure WordPress to require administrative approval for all new user registrations, which will prevent the creation of unauthorized author accounts while a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Flynax Bridge plugin, v1rustyle Flynax Bridge, with any version \u22642.2.0. The vulnerability is confined to the plugin\u2019s user registration feature and does not affect other components of WordPress directly.", "description_and_impact": "The Flynax Bridge plugin for WordPress contains a missing capability check in the registerUser() function in versions up to and including 2.2.0. This flaw allows an attacker who is not logged in to create new user accounts with the author role. Because authors can publish and edit content, the attacker can compromise the integrity and confidentiality of site content and potentially serve as a foothold for further attacks.", "risk_and_exploitability": "The CVSS score of 7.3 indicates a high severity impact. The EPSS score is reported as <1%, suggesting exploitation is unlikely at present, though the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be web\u2011based; an unauthenticated attacker can register a new author account through the plugin\u2019s registration endpoint on any affected WordPress site. Once an author account is created, the attacker can publish, edit, or delete posts, thereby subverting the site\u2019s functionality."}}}}, "created": "2026-04-20T23:15:06.302091+00:00", "updated": "2026-04-20T23:15:06.302101+00:00", "vendors": []}