The Felan Framework plugin for WordPress versions up to and including 1.1.4 contains a missing authorization (CWE-862) vulnerability in the 'process_plugin_actions' function. This function is invoked through an AJAX action but lacks proper capability checks, enabling unauthenticated users to modify plugin states by activating or deactivating plugins arbitrarily. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a network attack vector with low complexity and no privileges or user interaction required, impacting integrity but not confidentiality or availability.

An attacker can remotely and without authentication activate or deactivate any plugin on a vulnerable WordPress installation using the Felan Framework plugin. This unauthorized modification of plugin states can lead to potential integrity issues, such as enabling malicious plugins or disabling security-related plugins, but does not directly affect confidentiality or availability according to the CVSS vector.

No official patch or fix is currently available for this vulnerability as per the provided data. Patch status is not yet confirmed — check the RiceTheme vendor advisory for current remediation guidance. Until a fix is released, administrators should consider restricting access to AJAX endpoints or disabling the Felan Framework plugin if feasible to prevent exploitation.