CVE-2025-10849 identifies a missing authorization vulnerability (CWE-862) in the RiceTheme Felan Framework plugin for WordPress, affecting all versions up to 1.1.4. The vulnerability arises because the 'process_plugin_actions' function, which handles plugin activation and deactivation via an AJAX call, does not perform any capability checks to verify if the requester is authorized to perform these actions. This omission allows unauthenticated attackers to send crafted AJAX requests to activate or deactivate arbitrary plugins on the affected WordPress site. Since plugins can significantly alter site behavior, attackers could leverage this to enable malicious plugins or disable security-related plugins, facilitating further compromise or persistent access. The vulnerability is remotely exploitable over the network without any authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score is 5.3 (medium), reflecting the ease of exploitation and impact limited to integrity without direct confidentiality or availability consequences. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on 2025-09-22 and published on 2025-10-16 by Wordfence. Organizations using the Felan Framework plugin should be aware of this risk and monitor for updates or apply mitigations promptly.

The primary impact of this vulnerability is unauthorized modification of plugin states, which compromises the integrity of the WordPress environment. Attackers can activate malicious plugins or deactivate security plugins, potentially enabling further exploitation such as code execution, data tampering, or persistent backdoors. Although confidentiality and availability are not directly impacted, the integrity breach can lead to indirect effects including data exposure or site defacement. The vulnerability's ease of exploitation without authentication or user interaction increases the risk of automated attacks targeting vulnerable WordPress sites globally. Organizations relying on the Felan Framework plugin may face increased risk of website compromise, reputational damage, and potential loss of customer trust. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the risk, especially as exploit code could be developed rapidly given the simplicity of the flaw.

1. Immediately monitor official RiceTheme channels and WordPress plugin repositories for patches or updates addressing CVE-2025-10849 and apply them as soon as they become available. 2. In the absence of an official patch, implement web application firewall (WAF) rules to block unauthorized AJAX requests targeting 'process_plugin_actions' endpoints, restricting access to authenticated and authorized users only. 3. Restrict access to the WordPress admin-ajax.php endpoint by IP address or other network controls where feasible to limit exposure. 4. Regularly audit installed plugins and their activation status to detect unauthorized changes promptly. 5. Employ WordPress security plugins that can monitor and alert on plugin state changes. 6. Educate site administrators about the risks of unauthorized plugin modifications and encourage strong administrative credential policies. 7. Consider temporarily disabling or removing the Felan Framework plugin if it is not critical to site operation until a fix is available. 8. Maintain comprehensive backups to enable rapid recovery if compromise occurs. These steps go beyond generic advice by focusing on specific controls around AJAX actions and plugin state monitoring relevant to this vulnerability.