CVE-2025-10850
Published: 16 October 2025
Summary
CVE-2025-10850 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2025-10850 is an improper authentication vulnerability in the Felan Framework plugin for WordPress, affecting versions up to and including 1.1.4. The issue arises from hardcoded passwords within the 'fb_ajax_login_or_register' and 'google_ajax_login_or_register' functions, mapped to CWE-798 (Use of Hard-coded Credentials). Published on 2025-10-16, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), denoting critical severity due to its potential for high-impact remote exploitation.
Unauthenticated attackers can exploit this vulnerability to log in as any existing user on the affected site who registered via Facebook or Google social login and did not change their password afterward. Exploitation requires no privileges, user interaction, or special conditions beyond knowing or guessing the hardcoded credentials, enabling attackers to impersonate victims and access their account privileges, which could lead to full site takeover if targeting administrators.
Advisories provide further details via references including the plugin's ThemeForest product page at https://themeforest.net/item/felan-freelance-marketplace-and-job-board-wordpress-theme/53612955 and Wordfence's threat intelligence entry at https://www.wordfence.com/threat-intel/vulnerabilities/id/ab4c7656-544c-4f2f-a42f-264ac90e3b61?source=cve. CVE-2025-23504 is identified as a likely duplicate of this issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-34721
Vulnerability details
The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated…
more
attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. CVE-2025-23504 is likely a duplicate of this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables unauthenticated remote exploitation (T1190) via hardcoded passwords, allowing login as users with unchanged default credentials from social logins (T1078.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 mandates proper management of authenticators, explicitly prohibiting hard-coded credentials used in the plugin's login functions.
SI-2 requires identification, reporting, and timely correction of flaws like this improper authentication vulnerability in the WordPress plugin.
RA-5 ensures ongoing vulnerability scanning and monitoring that would identify this critical CVE in the Felan Framework plugin.