Fresh Framework CVE-2025-26961
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in NotFound Fresh Framework allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Fresh Framework: from n/a through 1.70.0.
AnalysisAI
Broken access control in Fresh Framework WordPress plugin through version 1.70.0 allows remote unauthenticated attackers to access privileged functionality without proper authorization checks. The vulnerability bypasses authentication requirements (tagged as Authentication Bypass), enabling unauthorized modification of plugin settings or data (high integrity impact) with partial information disclosure. EPSS probability remains low (0.12%, 31st percentile), indicating limited observed exploitation attempts, though the network-accessible attack vector and lack of complexity make exploitation straightforward once discovered.
Technical ContextAI
Fresh Framework is a WordPress plugin framework. This vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to implement proper Access Control Lists (ACLs) on sensitive functionality. WordPress plugins must validate user capabilities and nonces on administrative functions using WordPress core functions like check_admin_referer() and current_user_can(). The missing authorization checks allow direct HTTP requests to restricted endpoints or AJAX handlers without verifying whether the requester has legitimate administrative privileges, a common vulnerability class in WordPress plugin development where developers expose AJAX actions or REST API endpoints without wp_verify_nonce() or capability checks.
Affected ProductsAI
NotFound Fresh Framework WordPress plugin versions from earliest available through 1.70.0 are confirmed vulnerable per NVD CPE data. The vulnerability affects all installations regardless of WordPress version or hosting environment. Patchstack advisory (reference URLs) provides authoritative vulnerability confirmation and coverage details for WordPress environments running this plugin.
RemediationAI
Immediately update Fresh Framework to version 1.70.1 or later if available, as version 1.70.0 is explicitly listed as the final vulnerable version. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/fresh-framework/ for the exact patched release version and vendor guidance. If no patch has been released yet, implement these compensating controls with associated trade-offs: (1) Temporarily deactivate Fresh Framework plugin if its features are non-critical-eliminates attack surface but removes plugin functionality. (2) Restrict access to /wp-admin/admin-ajax.php endpoints related to Fresh Framework via web application firewall rules requiring authenticated sessions-reduces exposure but may break legitimate AJAX functionality if rules are too broad. (3) Monitor WordPress access logs for unusual POST requests to admin-ajax.php with Fresh Framework action parameters from unauthenticated sources-provides detection but no prevention. Review Fresh Framework usage dependencies before deactivation to avoid breaking theme or site functionality.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today