Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3.
Published: 2026-01-08
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in RiceTheme's Felan Framework plugin allows an attacker to bypass the authentication mechanism by using an alternate path or channel. This abuse enables unauthorized possession of user accounts, granting the attacker full control over any accounts they can target. The flaw delivers a critical compromise of confidentiality, integrity, and availability for the affected WordPress site.

Affected Systems

WordPress sites running the Felan Framework plugin from any release through version 1.1.3 are impacted. This includes all installations that have not applied a version later than 1.1.3.

Risk and Exploitability

The CVSS score of 9.8 reflects the high severity of the issue. The EPSS score of less than 1% indicates a very low probability of exploitation, though the flaw remains publicly documented and the plugin is widely used. It is not listed in CISA KEV. The likely attack vector is remote, web-based exploitation of the authentication bypass via an alternate endpoint, requiring only network access to the vulnerable WordPress site. No special privileges or advanced skills are required beyond identifying the vulnerable path.

Generated by OpenCVE AI on April 29, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated version of the Felan Framework plugin that removes the authentication-bypass flaw.
  • If an update is unavailable, disable the plugin or block access to its alternate authentication routes until a fix is released.
  • Audit the site's authentication endpoints to ensure they cannot be invoked through unintended URLs or parameters, and enforce strict access controls.
  • Continuously monitor authentication logs for unexpected activity and enforce multi‑factor authentication where possible.

Generated by OpenCVE AI on April 29, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3.
Title WordPress Felan Framework plugin <= 1.1.3 - Account Takeover vulnerability
Weaknesses CWE-288
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:01:21.292Z

Reserved: 2025-01-16T11:25:35.343Z

Link: CVE-2025-23504

cve-icon Vulnrichment

Updated: 2026-01-08T14:58:08.487Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T10:15:48.513

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-23504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:00:13Z

Weaknesses