{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10849", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-22T06:26:51.143Z", "datePublished": "2025-10-16T06:47:30.601Z", "dateUpdated": "2026-04-08T17:20:57.034Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:57.034Z"}, "affected": [{"vendor": "RiceTheme", "product": "Felan Framework", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Felan Framework plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_plugin_actions' function called via an AJAX action in versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to activate or deactivate arbitrary plugins."}], "title": "Felan Framework <= 1.1.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation/Deactivation via process_plugin_actions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5abd601-132a-4d8b-bfcc-afd5c6ed9947?source=cve"}, {"url": "https://themeforest.net/item/felan-freelance-marketplace-and-job-board-wordpress-theme/53612955"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "timeline": [{"time": "2025-09-22T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-15T18:07:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-16T13:31:56.965093Z", "id": "CVE-2025-10849", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-16T15:37:03.528Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10849", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-16T13:31:56.965093Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-16T13:31:58.630Z"}}], "cna": {"title": "Felan Framework <= 1.1.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation/Deactivation via process_plugin_actions", "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "RiceTheme", "product": "Felan Framework", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-22T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-15T18:07:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5abd601-132a-4d8b-bfcc-afd5c6ed9947?source=cve"}, {"url": "https://themeforest.net/item/felan-freelance-marketplace-and-job-board-wordpress-theme/53612955"}], "descriptions": [{"lang": "en", "value": "The Felan Framework plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_plugin_actions' function called via an AJAX action in versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to activate or deactivate arbitrary plugins."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:57.034Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10849", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:20:57.034Z", "dateReserved": "2025-09-22T06:26:51.143Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-16T06:47:30.601Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Felan Framework plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_plugin_actions' function called via an AJAX action in versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to activate or deactivate arbitrary plugins."}], "id": "CVE-2025-10849", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-16T07:15:32.710", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/felan-freelance-marketplace-and-job-board-wordpress-theme/53612955"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5abd601-132a-4d8b-bfcc-afd5c6ed9947?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:43:26.927939+00:00", "value": {"mitigation_remediation": ["Upgrade the Felan Framework to a version that implements a capability check for the process_plugin_actions function (consult RiceTheme release notes for the fix).", "If an upgrade is not immediately possible, restrict the AJAX endpoint by enforcing administrator capability checks, adding a nonce verification, or limiting access to the endpoint via a firewall rule that allows only trusted IPs.", "Conduct a thorough audit of all active plugins to identify any that were activated or deactivated by unauthorized actors, disable suspicious plugins, and restore the intended configuration."], "summary": {"action": "Patch", "impact": "Unauthorized plugin activation/deactivation"}, "threat_synthesis": {"affected_systems": "All installations of the Felan Framework theme supplied by RiceTheme up to and including version 1.1.4 are vulnerable. The flaw is confined to the process_plugin_actions function used by the theme\u2019s WordPress AJAX endpoint.", "description_and_impact": "The Felan Framework WordPress theme contains a missing capability check in the AJAX handler 'process_plugin_actions'. Any visitor, regardless of authentication status, can call this endpoint and instruct the site to activate or deactivate installed plugins. Because this action does not enforce the appropriate permission, it allows an attacker to alter plugin states. Based on the description, it is inferred that an attacker could activate a malicious plugin or disable security\u2011related plugins, potentially compromising integrity or availability.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score is below 1% and the vulnerability is not listed in CISA KEV, suggesting a low current exploitation probability. The attack vector is unauthenticated and remote, requiring only a crafted AJAX request. Successful exploitation gives the attacker the ability to alter plugin states; based on the vulnerability, this could enable execution of arbitrary code if a malicious plugin is activated, but the description does not explicitly confirm this outcome."}}}}, "created": "2025-10-20T13:25:19.302312+00:00", "updated": "2026-04-22T00:45:04.164198+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}