CVE-2025-10850 Overview
CVE-2025-10850 is an improper authentication vulnerability in the Felan Framework plugin for WordPress, affecting all versions up to and including 1.1.4. The flaw originates from hardcoded passwords in the fb_ajax_login_or_register and google_ajax_login_or_register functions, which handle Facebook and Google social login flows. Unauthenticated attackers can log in as any existing user who registered via these social login providers and never changed their password. This issue is classified under [CWE-798: Use of Hard-coded Credentials]. CVE-2025-23504 is reported as a likely duplicate of this vulnerability.
Critical Impact
Unauthenticated attackers can take over WordPress accounts, including administrator accounts, registered through Facebook or Google social login.
Affected Products
- Felan Framework plugin for WordPress (versions ≤ 1.1.4)
- WordPress sites bundled with the Felan Freelance Marketplace and Job Board theme
- Any deployment relying on the plugin's social login (Facebook or Google) registration flow
Discovery Timeline
- 2025-10-16 - CVE-2025-10850 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-10850
Vulnerability Analysis
The Felan Framework plugin implements social authentication through two AJAX handlers: fb_ajax_login_or_register for Facebook and google_ajax_login_or_register for Google. Both functions assign a hardcoded password value when creating or authenticating accounts derived from social login identities. Because the password is static and embedded in the plugin source, any attacker who knows or recovers this value can authenticate as any user whose account was provisioned through these flows.
The vulnerability does not require user interaction, network privileges, or prior authentication. An attacker only needs the target user's email address or social identifier and the static credential to authenticate against the standard WordPress login endpoint. If a victim never rotated the plugin-assigned password after social registration, full account compromise follows. Administrator accounts created through the social flow grant complete site takeover, including arbitrary plugin installation and database access.
Root Cause
The root cause is the embedding of static authentication secrets in plugin source code, classified as [CWE-798]. The plugin substitutes a deterministic password rather than generating a cryptographically random secret per user or relying solely on OAuth token validation. This collapses the security boundary between social identity verification and WordPress's local password authentication.
Attack Vector
Exploitation occurs over the network against the WordPress login interface. The attacker enumerates or obtains the email address of a user known to have registered via Facebook or Google login, then submits the hardcoded password to wp-login.php or the plugin's AJAX endpoints. No social provider interaction is required at exploitation time. See the Wordfence Vulnerability Report for additional technical context.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in prose only.
Detection Methods for CVE-2025-10850
Indicators of Compromise
- Successful WordPress logins to accounts originally provisioned through Facebook or Google social registration from unfamiliar IP addresses or geolocations
- Repeated authentication attempts against wp-login.php targeting email addresses associated with social-registered users
- Unexpected privilege changes, plugin installations, or administrator account creation following a login event
- Web server logs showing direct POST requests to admin-ajax.php invoking fb_ajax_login_or_register or google_ajax_login_or_register
Detection Strategies
- Review WordPress audit logs for logins by users whose registration metadata indicates Facebook or Google provenance, then correlate against expected session origins
- Alert on any administrator session established without a corresponding OAuth callback in upstream proxy logs
- Inspect installed plugin versions and flag any Felan Framework install at or below version 1.1.4
Monitoring Recommendations
- Enable WordPress authentication logging through a security plugin or reverse proxy and forward events to a centralized log platform
- Monitor admin-ajax.php request volume and unique source IPs for the affected action names
- Track new administrator account creation and role escalation events in near real time
How to Mitigate CVE-2025-10850
Immediate Actions Required
- Update the Felan Framework plugin to a version above 1.1.4 once the vendor releases a fix
- Force a password reset for every WordPress user whose account was created through Facebook or Google social login
- Audit administrator and elevated-role accounts for unauthorized membership and remove any unrecognized entries
- Rotate WordPress secret keys in wp-config.php and invalidate active sessions
Patch Information
No fixed version is identified in the published advisory. Refer to the Wordfence Vulnerability Report and the ThemeForest product page for vendor update notices. Apply the patched release as soon as it is available.
Workarounds
- Disable the Felan Framework plugin until a patched version is installed
- Require multi-factor authentication (MFA) for all WordPress accounts, which blocks login with the hardcoded password alone
- Restrict access to wp-login.php and admin-ajax.php by IP allowlist or web application firewall rule during the remediation window
- Notify affected users to change passwords through the standard WordPress reset flow before re-enabling the plugin
# Configuration example: temporarily restrict wp-login.php via .htaccess
<Files wp-login.php>
Require ip 203.0.113.0/24
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
