This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Critical flaw in **Felan Framework** (WordPress Plugin).β¦
π‘οΈ **CWE-798**: Use of Hard-coded Credentials. π **Flaw**: Developers embedded static passwords directly into the code for Facebook/Google login handlers. No dynamic password management or secure credential storage.
Q3Who is affected? (Versions/Components)
π¦ **Vendor**: RiceTheme. π¦ **Product**: Felan Framework (WordPress Plugin). β οΈ **Affected Versions**: **1.1.4 and earlier**. If you are on an older version, you are at risk.
Q4What can hackers do? (Privileges/Data)
π€ **Privileges**: Login as **ANY existing user**. π **Data Access**: Unauthorized access to sensitive user data. Full control over site functionalities associated with those accounts.β¦
π **Threshold**: **LOW**. π **Auth**: None required (PR:N). π **Access**: Network accessible (AV:N). π **UI**: No user interaction needed (UI:N). Easy to exploit remotely.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Exploit Available**: **YES**. π **PoC**: Public Proof-of-Concept available on GitHub (`pulsecipher/CVE-2025-10850`). π **Status**: Wild exploitation is likely given the low barrier to entry.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for **Felan Framework** version **β€ 1.1.4**. π **Feature**: Look for Facebook/Google social login features in the plugin. π οΈ **Tool**: Use WPScan or similar vulnerability scanners to detect the specificβ¦
π§ **Workaround**: If patching isn't immediate: 1. **Disable** Facebook/Google social login features. 2. **Force** password changes for all users who used social login. 3.β¦
π₯ **Priority**: **CRITICAL**. β±οΈ **Urgency**: **IMMEDIATE ACTION REQUIRED**. π **CVSS**: 9.8 (Critical). Do not delay. Patch now to prevent account takeover and data breaches.