CVE-2025-10850
Published: 16 October 2025
Summary
CVE-2025-10850 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates proper management of authenticators, explicitly prohibiting hard-coded credentials used in the plugin's login functions.
SI-2 requires identification, reporting, and timely correction of flaws like this improper authentication vulnerability in the WordPress plugin.
RA-5 ensures ongoing vulnerability scanning and monitoring that would identify this critical CVE in the Felan Framework plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables unauthenticated remote exploitation (T1190) via hardcoded passwords, allowing login as users with unchanged default credentials from social logins (T1078.001).
NVD Description
The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated…
more
attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. CVE-2025-23504 is likely a duplicate of this issue.
Deeper analysisAI
CVE-2025-10850 is an improper authentication vulnerability in the Felan Framework plugin for WordPress, affecting versions up to and including 1.1.4. The issue arises from hardcoded passwords within the 'fb_ajax_login_or_register' and 'google_ajax_login_or_register' functions, mapped to CWE-798 (Use of Hard-coded Credentials). Published on 2025-10-16, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), denoting critical severity due to its potential for high-impact remote exploitation.
Unauthenticated attackers can exploit this vulnerability to log in as any existing user on the affected site who registered via Facebook or Google social login and did not change their password afterward. Exploitation requires no privileges, user interaction, or special conditions beyond knowing or guessing the hardcoded credentials, enabling attackers to impersonate victims and access their account privileges, which could lead to full site takeover if targeting administrators.
Advisories provide further details via references including the plugin's ThemeForest product page at https://themeforest.net/item/felan-freelance-marketplace-and-job-board-wordpress-theme/53612955 and Wordfence's threat intelligence entry at https://www.wordfence.com/threat-intel/vulnerabilities/id/ab4c7656-544c-4f2f-a42f-264ac90e3b61?source=cve. CVE-2025-23504 is identified as a likely duplicate of this issue.
Details
- CWE(s)