CVE-2025-10850
Published: 16 October 2025
Description
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2025-10850 is an improper authentication vulnerability in the Felan Framework plugin for WordPress, affecting versions up to and including 1.1.4. The issue arises from hardcoded passwords within the 'fb_ajax_login_or_register' and 'google_ajax_login_or_register' functions, mapped to CWE-798 (Use of Hard-coded Credentials). Published on 2025-10-16, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), denoting critical severity due to its potential for high-impact remote exploitation.
Unauthenticated attackers can exploit this vulnerability to log in as any existing user on the affected site who registered via Facebook or Google social login and did not change their password afterward. Exploitation requires no privileges, user interaction, or special conditions beyond knowing or guessing the hardcoded credentials, enabling attackers to impersonate victims and access their account privileges, which could lead to full site takeover if targeting administrators.
Advisories provide further details via references including the plugin's ThemeForest product page at https://themeforest.net/item/felan-freelance-marketplace-and-job-board-wordpress-theme/53612955 and Wordfence's threat intelligence entry at https://www.wordfence.com/threat-intel/vulnerabilities/id/ab4c7656-544c-4f2f-a42f-264ac90e3b61?source=cve. CVE-2025-23504 is identified as a likely duplicate of this issue.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress plugin enables unauthenticated remote exploitation (T1190) via hardcoded passwords, allowing login as users with unchanged default credentials from social logins (T1078.001).