Authentication bypass in Felan Framework WordPress plugin versions up to 1.1.4 enables unauthenticated attackers to impersonate any user account registered via Facebook or Google social login. Hardcoded passwords in fb_ajax_login_or_register and google_ajax_login_or_register functions allow complete account takeover of affected users without requiring credentials. Exploitable remotely without user interaction. CVSS 9.8 Critical severity. No public exploit identified at time of analysis.
Google
WordPress
Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.3%