CVE-2025-23504
Published: 08 January 2026
Summary
CVE-2025-23504 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates authentication bypass via alternate path by explicitly identifying, authorizing, and monitoring actions permitted without identification or authentication.
Addresses the specific flaw in Felan Framework by requiring timely identification, reporting, and correction of vulnerabilities like this authentication bypass.
Enforces approved access authorizations in the system, preventing unauthorized account takeover through alternate channels in the WordPress plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-23504 is an authentication bypass in a public-facing WordPress plugin (T1190: Exploit Public-Facing Application), enabling unauthenticated account takeover for unauthorized access using valid accounts (T1078: Valid Accounts).
NVD Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3.
Deeper analysisAI
CVE-2025-23504 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Felan Framework WordPress plugin developed by RiceTheme. This issue affects the felan-framework component in all versions from n/a through 1.1.3, enabling authentication abuse. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction. Successful exploitation allows authentication abuse, leading to account takeover as detailed in associated advisories, with high impacts on confidentiality, integrity, and availability.
The primary advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-account-takeover-vulnerability?_s_id=cve) provides further details on the WordPress Felan Framework plugin 1.1.3 account takeover vulnerability, including potential mitigation and patch information.
Details
- CWE(s)