CVE-2025-10849 identifies a missing authorization vulnerability (CWE-862) in the RiceTheme Felan Framework WordPress plugin, versions up to and including 1.1.4. The vulnerability exists in the 'process_plugin_actions' function, which is invoked via an AJAX action. This function fails to perform a capability check to verify whether the requester has the necessary permissions to activate or deactivate plugins. Consequently, unauthenticated attackers can send crafted AJAX requests to arbitrarily enable or disable plugins on the affected WordPress site. This unauthorized modification can disrupt site functionality, potentially disable security plugins, or enable malicious plugins, thereby undermining the integrity of the site. The vulnerability does not directly expose confidential data or cause denial of service but can be a stepping stone for further attacks. The CVSS v3.1 score is 5.3 (medium), reflecting network attack vector, no privileges required, no user interaction, and impact limited to integrity. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The Felan Framework plugin is used in WordPress environments, which are widely deployed across Europe, especially in small to medium enterprises and public sector websites.

For European organizations, this vulnerability poses a risk primarily to the integrity of their WordPress sites. Attackers can manipulate plugin states without authentication, potentially disabling security or monitoring plugins or activating malicious ones, which could lead to further compromise, data breaches, or defacement. Public-facing websites, government portals, and e-commerce platforms using the Felan Framework plugin are particularly vulnerable. The impact is heightened in sectors relying heavily on WordPress for content management and customer interaction. Although no direct confidentiality or availability impact is noted, the integrity compromise can cascade into more severe security incidents. The absence of known exploits currently limits immediate widespread damage, but the ease of exploitation and lack of authentication requirements make this a significant threat if weaponized. Organizations may face reputational damage, regulatory scrutiny, and operational disruption if exploited.

Immediate mitigation involves monitoring for updates from RiceTheme and applying patches as soon as they are released. Until a patch is available, organizations should implement web application firewall (WAF) rules to detect and block unauthorized AJAX requests targeting the 'process_plugin_actions' endpoint. Restricting access to the WordPress admin-ajax.php endpoint via IP whitelisting or authentication enforcement can reduce exposure. Additionally, auditing active plugins regularly to detect unauthorized changes and employing intrusion detection systems to monitor anomalous plugin activation/deactivation events are recommended. Organizations should also enforce the principle of least privilege for WordPress users and consider disabling or removing the Felan Framework plugin if it is not essential. Regular backups and incident response plans should be updated to address potential exploitation scenarios.