Cyber Resilience

CVE-2025-23504

Critical

Published: 08 January 2026

Published
08 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0043 34.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-23504 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-23504 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Felan Framework WordPress plugin developed by RiceTheme. This issue affects the felan-framework component in all versions from n/a through 1.1.3, enabling authentication abuse. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction. Successful exploitation allows authentication abuse, leading to account takeover as detailed in associated advisories, with high impacts on confidentiality, integrity, and availability.

The primary advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-account-takeover-vulnerability?_s_id=cve) provides further details on the WordPress Felan Framework plugin 1.1.3 account takeover vulnerability, including potential mitigation and patch information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

CVE-2025-23504 is an authentication bypass in a public-facing WordPress plugin (T1190: Exploit Public-Facing Application), enabling unauthenticated account takeover for unauthorized access using valid accounts (T1078: Valid Accounts).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-6895Shared CWE-288
CVE-2026-29139Shared CWE-288
CVE-2025-26966Shared CWE-288
CVE-2024-13182Shared CWE-288
CVE-2025-7444Shared CWE-288
CVE-2025-7642Shared CWE-288
CVE-2025-8359Shared CWE-288
CVE-2025-1564Shared CWE-288
CVE-2026-27389Shared CWE-288
CVE-2025-1061Shared CWE-288

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Directly mitigates authentication bypass via alternate path by explicitly identifying, authorizing, and monitoring actions permitted without identification or authentication.

prevent

Addresses the specific flaw in Felan Framework by requiring timely identification, reporting, and correction of vulnerabilities like this authentication bypass.

prevent

Enforces approved access authorizations in the system, preventing unauthorized account takeover through alternate channels in the WordPress plugin.

References