CVE-2025-10850 identifies a critical security vulnerability in the Felan Framework plugin for WordPress, developed by RiceTheme. The flaw stems from the use of hardcoded passwords within the 'fb_ajax_login_or_register' and 'google_ajax_login_or_register' functions, which handle Facebook and Google social login processes respectively. These hardcoded credentials allow unauthenticated attackers to bypass normal authentication controls and log in as any existing user who registered through these social login methods and did not subsequently change their password. Since the vulnerability affects all versions up to and including 1.1.4, any site running these versions is at risk. The vulnerability is classified under CWE-798 (Use of Hard-coded Credentials), a well-known security weakness that can lead to unauthorized access. The CVSS v3.1 base score of 9.8 reflects the vulnerability’s critical nature, with an attack vector that is network-based (remote), requiring no privileges or user interaction, and impacting confidentiality, integrity, and availability. This means an attacker can remotely gain full control over affected user accounts and potentially escalate privileges to compromise the entire WordPress site. No patches or fixes have been linked yet, and no exploits are currently reported in the wild, but the ease of exploitation and severity make it a high-priority issue for site administrators. The vulnerability highlights the risks of embedding static credentials in authentication code, especially in widely used CMS plugins.

The impact of CVE-2025-10850 is severe for organizations using the Felan Framework plugin on WordPress sites. Attackers can gain unauthorized access to user accounts registered via Facebook or Google social login without needing any credentials or interaction, effectively bypassing authentication. This can lead to full site compromise, data theft, defacement, or use of the site as a launchpad for further attacks. Confidentiality is compromised as attackers can access sensitive user data; integrity is at risk due to potential unauthorized content changes; and availability may be affected if attackers disrupt site operations. Organizations relying on this plugin face reputational damage, regulatory compliance issues, and potential financial losses. The vulnerability’s ease of exploitation and lack of required privileges make it a prime target for automated attacks and mass exploitation campaigns once exploits become publicly available. The absence of a patch increases exposure time, amplifying risk.

To mitigate CVE-2025-10850, organizations should immediately audit their WordPress installations for the presence of the Felan Framework plugin and verify the version in use. If running version 1.1.4 or earlier, they should disable or remove the plugin until a secure patch is released. Administrators should enforce password resets for all users who registered via Facebook or Google social login to invalidate any sessions potentially compromised by the hardcoded credentials. Implementing Web Application Firewalls (WAFs) with rules to detect and block suspicious login attempts targeting the vulnerable functions can provide temporary protection. Monitoring authentication logs for unusual login patterns is critical to detect exploitation attempts early. Developers should avoid hardcoded credentials in code and adopt secure authentication mechanisms such as OAuth tokens or dynamic credential management. Once a patch is available, it should be applied promptly. Additionally, educating users about the risks of not changing default or social login passwords can reduce exposure.