Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RiceTheme Felan Framework felan-framework allows SQL Injection.This issue affects Felan Framework: from n/a through <= 1.1.3.
Published: 2026-01-08
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of special elements in SQL commands within the Felan Framework plugin. This flaw allows an attacker to inject arbitrary SQL statements, potentially retrieving, modifying, or deleting database contents. An attacker could gain unauthorized access to sensitive data or cause data loss.

Affected Systems

RiceTheme’s Felan Framework plugin versions from the initial release up to and including 1.1.3 are affected. Any WordPress site deploying these plugin versions is at risk.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the short term. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote input via the plugin’s front‑end interface, requiring user‑supplied parameters to craft malicious SQL.

Generated by OpenCVE AI on May 2, 2026 at 08:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Felan Framework plugin to version 1.1.4 or later, which includes the SQL injection fix.
  • If an immediate upgrade is not possible, temporarily disable the plugin until a patch is applied.
  • Implement application‑level input validation or a web application firewall to block suspicious SQL patterns until the plugin is updated.

Generated by OpenCVE AI on May 2, 2026 at 08:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RiceTheme Felan Framework felan-framework allows SQL Injection.This issue affects Felan Framework: from n/a through <= 1.1.3.
Title WordPress Felan Framework plugin <= 1.1.3 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:27.503Z

Reserved: 2025-01-16T11:33:30.626Z

Link: CVE-2025-23993

cve-icon Vulnrichment

Updated: 2026-01-08T14:57:48.899Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T10:15:48.650

Modified: 2026-04-27T17:16:25.563

Link: CVE-2025-23993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:30:26Z

Weaknesses