Skip to main content

Flowbox Flowbox CVE-2025-49338

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Flowbox Flowbox flowbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flowbox: from n/a through <= 1.1.6.

AnalysisAI

Flowbox WordPress plugin through version 1.1.6 fails to enforce proper access control, allowing attackers to exploit misconfigured security levels and bypass authorization checks. The vulnerability enables unauthorized access to functionality that should require elevated permissions, affecting all installations of the vulnerable plugin versions without authentication requirements.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the application fails to verify that users have proper permissions before granting access to resources or functionality. In the context of a WordPress plugin like Flowbox, this typically manifests as inadequate nonce validation, missing capability checks on admin or restricted functions, or improper role-based access control (RBAC) implementation. The plugin's security architecture does not correctly enforce ACLs (Access Control Lists) at the application level, allowing unauthenticated or low-privileged users to perform actions reserved for administrators or specific user roles.

Affected ProductsAI

Flowbox WordPress plugin from version up to and including 1.1.6 is affected by this vulnerability. The plugin is available on the WordPress plugin repository, with the specific vulnerable versions identified in the Patchstack vulnerability database entry. All installations running Flowbox version 1.1.6 or earlier require immediate attention.

RemediationAI

Update Flowbox to a patched version released after 1.1.6. The primary remediation step is to upgrade the plugin through the WordPress plugin manager to the latest available version that addresses this authorization vulnerability. WordPress administrators should access their WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate Flowbox, and click the update button if available. Alternatively, administrators can check the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/flowbox/vulnerability/wordpress-flowbox-plugin-1-1-5-broken-access-control-vulnerability for the specific patched version number and manual installation instructions. As an interim workaround pending patch deployment, consider disabling the plugin if its core functionality is not critical to operations.

Share

CVE-2025-49338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy