CVE-2025-10850CRITICAL 9.8EPSS p43.1%

CVE-2025-10850CVE-2025-10850

Description

The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. CVE-2025-23504 is likely a duplicate of this issue.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.58% probability of exploitation · percentile 43.1% · 2026-06-19T12:03:05Z
Published2025-10-16
Last modified2026-04-15

Underlying weaknesses· 1

CWE-798

References

  1. https://themeforest.net/item/felan-freelance-marketplace-and-job-board-wordpress-theme/53612955
  2. https://www.wordfence.com/threat-intel/vulnerabilities/id/ab4c7656-544c-4f2f-a42f-264ac90e3b61?source=cve

1

TypeTargetConfidenceTier
WeaknessUse of Hard-coded Credentialscwe-7980%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-15001
CVE
CVE-2025-13539
CVE
CVE-2025-4104
CVE
CVE-2025-5821
CVE
CVE-2025-23504
CVE
CVE-2025-13613
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.