CVE-2025-3604 is a vulnerability identified in the Flynax Bridge plugin for WordPress, developed by v1rustyle. This plugin is widely used to integrate Flynax classified ads software with WordPress sites. The vulnerability arises from a missing authorization check (CWE-862) in all versions up to and including 2.2.0. Specifically, the plugin fails to properly validate a user's identity before allowing updates to sensitive account details such as email addresses. This flaw enables unauthenticated attackers to arbitrarily change the email address associated with any user account, including those with administrative privileges. By changing the email, attackers can trigger password reset mechanisms to gain full control over the targeted accounts, effectively escalating their privileges without needing prior authentication or user interaction. The vulnerability impacts confidentiality, integrity, and availability of user accounts and potentially the entire WordPress site managed with this plugin. Although no public exploits have been reported yet, the ease of exploitation and the critical nature of account takeover make this a significant threat. The lack of a patch at the time of reporting further increases the risk for affected installations.

For European organizations, the impact of this vulnerability can be severe. Many businesses and service providers use WordPress with various plugins, including Flynax Bridge, to manage classified ads, marketplaces, or directory services. An attacker exploiting this vulnerability could gain administrative access, leading to unauthorized data access, data manipulation, or complete site takeover. This could result in data breaches involving personal data protected under GDPR, causing regulatory penalties and reputational damage. Additionally, compromised administrative accounts could be used to deploy further malware, deface websites, or launch phishing campaigns targeting European users. The disruption of services could impact business continuity, especially for organizations relying on classified ad platforms for revenue or customer engagement. The vulnerability's ability to bypass authentication and user interaction requirements makes it particularly dangerous in automated attack scenarios, increasing the likelihood of widespread exploitation if left unmitigated.

To mitigate this vulnerability, European organizations should immediately audit their WordPress installations to identify the presence of the Flynax Bridge plugin and verify the version in use. Until an official patch is released, organizations should consider disabling or uninstalling the plugin to prevent exploitation. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized requests attempting to change user emails can provide temporary protection. Monitoring logs for unusual account email changes or password reset requests is critical for early detection. Organizations should also enforce multi-factor authentication (MFA) on all administrative accounts to reduce the impact of compromised credentials. Regular backups of website data and configurations will aid in recovery if an attack occurs. Finally, organizations should subscribe to vendor and security advisories to apply patches promptly once available and conduct security awareness training to recognize potential phishing attempts that may follow account takeovers.