CVE-2025-10850 CRITICAL

CVE-2025-10850: Felan Framework <= 1.1.4 - Hardcoded Credentials

Vendor Ricetheme
Product Felan Framework
Weakness CWE-798 · Hardcoded credentials
Published October 16, 2025
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. CVE-2025-23504 is likely a duplicate of this issue.

Explanation of Vulnerability in Simple Terms

02Summary

The Felan Framework contains hardcoded credentials or secrets that can be accessed over the network without authentication. An attacker can read sensitive configuration data, modify site content, or disrupt service availability. All versions up to 1.1.4 are affected. Update to a version newer than 1.1.4 as soon as possible.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, or disable the site—all without logging in.

Potential impact on your site

04Site Impact

Complete compromise of the site's confidentiality, integrity, and availability without any warning or authentication barrier.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

October 16, 2025 CVE published
April 8, 2026 Record updated