Skip to main content

Fresh Framework CVE-2025-26961

HIGH
Missing Authorization (CWE-862)
2025-03-15 audit@patchstack.com
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:25 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:31 vuln.today
CVE Published
Mar 15, 2025 - 22:15 nvd
HIGH 8.6

DescriptionCVE.org

Missing Authorization vulnerability in NotFound Fresh Framework allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Fresh Framework: from n/a through 1.70.0.

AnalysisAI

Broken access control in Fresh Framework WordPress plugin through version 1.70.0 allows remote unauthenticated attackers to access privileged functionality without proper authorization checks. The vulnerability bypasses authentication requirements (tagged as Authentication Bypass), enabling unauthorized modification of plugin settings or data (high integrity impact) with partial information disclosure. EPSS probability remains low (0.12%, 31st percentile), indicating limited observed exploitation attempts, though the network-accessible attack vector and lack of complexity make exploitation straightforward once discovered.

Technical ContextAI

Fresh Framework is a WordPress plugin framework. This vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to implement proper Access Control Lists (ACLs) on sensitive functionality. WordPress plugins must validate user capabilities and nonces on administrative functions using WordPress core functions like check_admin_referer() and current_user_can(). The missing authorization checks allow direct HTTP requests to restricted endpoints or AJAX handlers without verifying whether the requester has legitimate administrative privileges, a common vulnerability class in WordPress plugin development where developers expose AJAX actions or REST API endpoints without wp_verify_nonce() or capability checks.

Affected ProductsAI

NotFound Fresh Framework WordPress plugin versions from earliest available through 1.70.0 are confirmed vulnerable per NVD CPE data. The vulnerability affects all installations regardless of WordPress version or hosting environment. Patchstack advisory (reference URLs) provides authoritative vulnerability confirmation and coverage details for WordPress environments running this plugin.

RemediationAI

Immediately update Fresh Framework to version 1.70.1 or later if available, as version 1.70.0 is explicitly listed as the final vulnerable version. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/fresh-framework/ for the exact patched release version and vendor guidance. If no patch has been released yet, implement these compensating controls with associated trade-offs: (1) Temporarily deactivate Fresh Framework plugin if its features are non-critical-eliminates attack surface but removes plugin functionality. (2) Restrict access to /wp-admin/admin-ajax.php endpoints related to Fresh Framework via web application firewall rules requiring authenticated sessions-reduces exposure but may break legitimate AJAX functionality if rules are too broad. (3) Monitor WordPress access logs for unusual POST requests to admin-ajax.php with Fresh Framework action parameters from unauthenticated sources-provides detection but no prevention. Review Fresh Framework usage dependencies before deactivation to avoid breaking theme or site functionality.

Share

CVE-2025-26961 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy