Vulnerability Description
The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. CVE-2025-23504 is likely a duplicate of this issue.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://themeforest.net/item/felan-freelance-marketplace-and-job-board-wordpress
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ab4c7656-544c-4f2f-a42
FAQ
What is CVE-2025-10850?
CVE-2025-10850 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' func...
How severe is CVE-2025-10850?
CVE-2025-10850 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-10850?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.