CVE-2025-49338

2025-12-31 [email protected]
Information Disclosure

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

DescriptionNVD

Missing Authorization vulnerability in Flowbox Flowbox flowbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flowbox: from n/a through <= 1.1.6.

AnalysisAI

Flowbox WordPress plugin through version 1.1.6 fails to enforce proper access control, allowing attackers to exploit misconfigured security levels and bypass authorization checks. The vulnerability enables unauthorized access to functionality that should require elevated permissions, affecting all installations of the vulnerable plugin versions without authentication requirements.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the application fails to verify that users have proper permissions before granting access to resources or functionality. In the context of a WordPress plugin like Flowbox, this typically manifests as inadequate nonce validation, missing capability checks on admin or restricted functions, or improper role-based access control (RBAC) implementation. The plugin's security architecture does not correctly enforce ACLs (Access Control Lists) at the application level, allowing unauthenticated or low-privileged users to perform actions reserved for administrators or specific user roles.

Affected ProductsAI

Flowbox WordPress plugin from version up to and including 1.1.6 is affected by this vulnerability. The plugin is available on the WordPress plugin repository, with the specific vulnerable versions identified in the Patchstack vulnerability database entry. All installations running Flowbox version 1.1.6 or earlier require immediate attention.

RemediationAI

Update Flowbox to a patched version released after 1.1.6. The primary remediation step is to upgrade the plugin through the WordPress plugin manager to the latest available version that addresses this authorization vulnerability. WordPress administrators should access their WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate Flowbox, and click the update button if available. Alternatively, administrators can check the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/flowbox/vulnerability/wordpress-flowbox-plugin-1-1-5-broken-access-control-vulnerability for the specific patched version number and manual installation instructions. As an interim workaround pending patch deployment, consider disabling the plugin if its core functionality is not critical to operations.

Share

CVE-2025-49338 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy