CVE-2025-3604 is a critical security vulnerability identified in the Flynax Bridge plugin for WordPress, affecting all versions up to and including 2.2.0. The vulnerability is classified under CWE-862 (Missing Authorization), meaning the plugin fails to properly verify a user's identity before allowing updates to sensitive account details such as email addresses. This flaw allows unauthenticated attackers to arbitrarily modify any user's email address, including those of administrators. By changing the email address, attackers can trigger password reset mechanisms to gain full control over the targeted accounts without needing any prior authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), which significantly increases its risk. The CVSS v3.1 base score of 9.8 reflects its critical severity, with high impacts on confidentiality, integrity, and availability. The plugin is commonly used to integrate Flynax classified ads or marketplace platforms with WordPress, making affected sites potentially vulnerable to complete account takeover and subsequent malicious activities such as data theft, defacement, or further network compromise. As of the publication date, no official patches have been released, and no active exploitation has been reported, but the ease of exploitation and impact warrant immediate attention.

The vulnerability allows attackers to take over any user account, including administrators, on WordPress sites using the vulnerable Flynax Bridge plugin. This can lead to full site compromise, unauthorized data access, defacement, insertion of malicious content, or use of the site as a launchpad for further attacks within an organization’s network. The integrity and confidentiality of sensitive user data are at high risk, and availability may be impacted if attackers disrupt services or lock out legitimate users. Organizations relying on Flynax Bridge for classified ads or marketplace functionality face reputational damage, financial loss, and regulatory compliance issues if exploited. The lack of authentication and user interaction requirements makes this vulnerability highly exploitable, increasing the likelihood of widespread attacks once exploit code becomes available.

Until an official patch is released, organizations should implement immediate compensating controls. These include disabling or uninstalling the Flynax Bridge plugin if feasible, restricting access to the WordPress admin panel via IP whitelisting or VPN, and monitoring logs for suspicious email change requests or password resets. Enforce multi-factor authentication (MFA) for all administrator accounts to reduce the risk of account takeover. Regularly audit user accounts for unauthorized changes and review WordPress user roles and permissions. Employ web application firewalls (WAFs) with custom rules to detect and block attempts to exploit this vulnerability. Stay alert for vendor updates and apply patches promptly once available. Additionally, educate site administrators about the risk and signs of compromise to enable rapid incident response.