Description
The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. CVE-2025-23504 is likely a duplicate of this issue.
Published: 2025-10-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from hardcoded credentials embedded in the 'fb_ajax_login_or_register' and 'google_ajax_login_or_register' functions of the Felan Framework plugin. This flaw allows unauthenticated callers to authenticate as any user who registered via Facebook or Google and did not change the default password, effectively bypassing the normal authentication process. The compromised accounts could be used for data theft, privilege escalation, or to spread malicious content.

Affected Systems

Affected parties are owners and administrators of WordPress installations running the RiceTheme Felan Framework plugin version 1.1.4 or earlier. The vulnerability exists across all installations of the plugin that have not been updated beyond this version threshold.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is considered critical. The EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV catalog, indicating that documented exploitation is rare at present. However, the likely attack vector, based on the description, is external and requires no authentication, so an attacker can exploit the flaw simply by sending the vulnerable AJAX requests to the public site endpoints, assuming the social‑login routes are enabled. The lack of login monitoring and the use of hardcoded passwords make exploitation straightforward once the target is identified.

Generated by OpenCVE AI on April 21, 2026 at 18:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Felan Framework plugin to the latest officially released version that removes hardcoded passwords.
  • If an update is not yet available, disable the 'facebook' and 'google' AJAX login routes or remove the social‑login add‑ons entirely until the issue is fixed.
  • Audit the plugin’s source code for any remaining hardcoded credentials or insecure authentication paths, and apply remedial fixes such as enforcing password change on registration or adding two‑factor authentication.
  • Strengthen overall site security by enforcing strong password policies and monitoring login attempts for suspicious activity.

Generated by OpenCVE AI on April 21, 2026 at 18:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. CVE-2025-23504 is likely a duplicate of this issue.

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 16 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password.
Title Felan Framework <= 1.1.4 - Hardcoded Credentials
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:32.471Z

Reserved: 2025-09-22T06:50:24.943Z

Link: CVE-2025-10850

cve-icon Vulnrichment

Updated: 2025-10-16T13:32:15.567Z

cve-icon NVD

Status : Deferred

Published: 2025-10-16T07:15:32.897

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:00:36Z

Weaknesses