CVE-2025-49338
Description
Missing Authorization vulnerability in Flowbox Flowbox flowbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flowbox: from n/a through <= 1.1.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in Flowbox plugin (≤1.1.6 and below allows unauthenticated attackers to exploit incorrectly configured access controls.
Vulnerability
Overview CVE-2025-49338 is a missing authorization vulnerability in the Flowbox plugin for WordPress, affecting versions from n/a through 1.1.6. The issue stems from incorrectly configured access control security levels, allowing unauthenticated attackers to bypass intended restrictions [1].
Exploitation
This broken access control vulnerability can be exploited without authentication, as the plugin fails to properly verify user permissions or nonce tokens or nonce checks in certain functions. Attackers can target any WordPress site running the vulnerable plugin version, regardless of traffic size or popularity [1].
Impact
Successful exploitation enables an attacker to perform higher-privileged actions that should be restricted, such as modifying plugin settings or accessing protected data. This vulnerability is known to be used in mass-exploit campaigns against thousands of websites simultaneously [1].
Mitigation
Users should immediately update the Flowbox plugin to a patched version beyond 1.1.6. If updating is not possible, contact your hosting provider or web developer for assistance [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.