Description Summary:
A critical SQL injection vulnerability in Fikir Odalari AdminPando allows unauthenticated attackers to bypass login and gain full administrative access, including DOM manipulation capabilities.

Executive Summary:
Fikir Odalari AdminPando is affected by a maximum-severity SQL injection vulnerability that allows unauthenticated attackers to seize full administrative control and deface public content.

Vulnerability Details

CVE-ID: CVE-2025-10878

Affected Software: Fikir Odalari AdminPando

Affected Versions: 1.0.1 before 2026-01-26

Vulnerability: The username and password parameters in the login functionality are susceptible to SQL injection. An unauthenticated attacker can use crafted SQL queries to bypass the authentication mechanism entirely.

Business Impact

This vulnerability carries a CVSS score of 10.0, representing the highest possible risk. Successful exploitation allows an attacker to gain full administrative privileges, enabling them to manipulate the underlying database, steal user information, and modify the public-facing website’s HTML/DOM. This can lead to massive reputational damage and total loss of data confidentiality.

Remediation Plan

Immediate Action: Apply the vendor-provided patch released on or after January 26, 2026, which implements prepared statements and input sanitization.

Proactive Monitoring: Review database logs for suspicious queries containing SQL keywords like UNION, SELECT, or ' OR '1'='1'.

Compensating Controls: Implement a Web Application Firewall (WAF) with aggressive SQL injection protection profiles to intercept malicious login attempts.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of Feb 3, 2026, there is no public information indicating active exploitation of this vulnerability. Given the simplicity of SQL injection in login forms, this is a high-priority target for threat actors.

Analyst Recommendation

Immediate patching is mandatory for all AdminPando installations. Because this flaw allows for complete system takeover and public website manipulation, administrators should also conduct a forensic audit to ensure the system has not already been compromised via this vector.

Executive Summary:
A high-severity SQL Injection vulnerability has been identified in a popular WordPress plugin, "Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers." This flaw could allow an unauthenticated attacker to manipulate the website's database, potentially leading to a complete compromise of the site, theft of sensitive user data, and unauthorized administrative access. Immediate patching is required to mitigate the significant risk of a data breach and website defacement.

Vulnerability Details

CVE-ID: CVE-2025-10862

Affected Software: WordPress Plugin: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

Affected Versions: All versions up to and including 2.0

Vulnerability: The specified WordPress plugin is vulnerable to SQL Injection due to improper sanitization of user-supplied input before it is used in a database query. An unauthenticated attacker can craft a malicious request containing specially formatted SQL commands. When the vulnerable plugin processes this input, the malicious commands are executed directly against the backend database, allowing the attacker to read, modify, or delete sensitive data, bypass authentication mechanisms, or potentially achieve remote code execution depending on the database configuration.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could have severe consequences for the business, including a significant data breach involving customer information, payment details, or proprietary business data stored in the database. The potential for data loss or corruption could disrupt business operations, while unauthorized access could lead to website defacement, reputational damage, and loss of customer trust. The financial impact could be substantial, stemming from regulatory fines (e.g., GDPR, CCPA), incident response costs, and loss of revenue.

Remediation Plan

Immediate Action:

• Update: Immediately update the "Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers" plugin to the latest patched version provided by the vendor.
• Review and Remove: If the plugin is not essential for business operations, it is strongly recommended to deactivate and completely remove it from the WordPress installation to eliminate this attack vector.
• Verify: After updating or removing the plugin, verify that the website is functioning correctly and that the vulnerability has been mitigated.

Proactive Monitoring:

• Web Server Logs: Monitor web server and application logs for suspicious requests, particularly those targeting plugin endpoints and containing SQL keywords (SELECT, UNION, INSERT, --, ') or other malicious-looking patterns.
• WAF Logs: If a Web Application Firewall (WAF) is in place, review its logs for alerts related to SQL Injection attempts against the website.
• Database Activity: Monitor database logs for unusual or unauthorized queries, especially those indicating data exfiltration or modification.

Compensating Controls:

• Web Application Firewall (WAF): Implement and configure a WAF with a robust ruleset to detect and block SQL Injection attacks. This can serve as a critical layer of defense if immediate patching is not feasible.
• Principle of Least Privilege: Ensure the database user account associated with the WordPress application has only the minimum permissions necessary for its operation. This can limit the impact of a successful SQL Injection attack.

Exploitation Status

Public Exploit Available: False

Analyst Notes: As of the published date, October 9, 2025, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, SQL Injection vulnerabilities in widely-used WordPress plugins are highly sought after by threat actors, and it is anticipated that exploits will be developed and utilized shortly after public disclosure.

Analyst Recommendation

Given the high severity (CVSS 7.5) and the potential for complete database compromise by an unauthenticated attacker, this vulnerability requires immediate attention. Organizations are strongly advised to apply the vendor-supplied patch to all affected websites without delay. Although this CVE is not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for future inclusion. If patching cannot be performed immediately, implement a WAF with SQLi detection rules as a critical compensating control and prioritize the update within the next patch cycle.

Executive Summary:
A high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in a WordPress popup builder plugin. This flaw allows an unauthenticated attacker to trick the website's server into making unauthorized requests to internal network resources or external services. Successful exploitation could lead to the exposure of sensitive internal data and further compromise of the network infrastructure.

Vulnerability Details

CVE-ID: CVE-2025-10861

Affected Software: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress

Affected Versions: All versions up to, and including, 2

Vulnerability: The vulnerability is a Server-Side Request Forgery (SSRF). It exists because the plugin improperly validates user-supplied input that is used to construct a URL for a server-side request. An attacker can craft a malicious request to the plugin, forcing the web server to send requests to arbitrary destinations, including internal services that are not normally accessible from the internet. This could be used to scan the internal network, interact with internal APIs, or access sensitive information from cloud provider metadata services.

Business Impact

This vulnerability is rated as high severity with a CVSS score of 7.5. Exploitation can lead to significant business impacts, including the breach of confidential information, such as internal network topology, service banners, and potentially cloud infrastructure credentials. An attacker could use the compromised server as a pivot point to launch further attacks against the internal network, jeopardizing the integrity and confidentiality of corporate data and systems. This poses a direct risk to operational security and could result in reputational damage and regulatory non-compliance.

Remediation Plan

Immediate Action: Immediately update the "Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers" plugin to the latest version provided by the vendor (a version greater than 2). If the plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface.

Proactive Monitoring: Monitor egress network traffic from the web server for unusual outbound connections, particularly to internal IP address ranges (e.g., 10.0.0.0/8, 192.168.0.0/16) and cloud metadata endpoints (e.g., 169.254.169.254). Review web server access logs for suspicious requests targeting the plugin's functionality that may contain URLs or IP addresses in the parameters.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block SSRF attack patterns. Additionally, enforce strict egress filtering rules on the server's host-based or network firewall to limit the server's ability to initiate connections to internal services and unknown external destinations.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of October 24, 2025, there are no known public exploits or active campaigns targeting this vulnerability. However, vulnerabilities in popular WordPress plugins are frequently reverse-engineered, and proof-of-concept exploits can be developed and published rapidly. Organizations should assume that exploitation is likely in the near future.

Analyst Recommendation
Given the high severity (CVSS 7.5) of this vulnerability and its potential for exposing internal network resources, immediate action is required. We strongly recommend that all system owners identify instances of the vulnerable plugin and apply the vendor-provided security update without delay. Although this CVE is not currently on the CISA KEV list, its high score and the prevalence of WordPress make it a prime target for opportunistic attackers. Prioritize patching to mitigate the risk of a security breach.

Executive Summary:
A critical improper authentication vulnerability exists in the Felan Framework plugin for WordPress. This flaw is caused by a hardcoded password, which allows an unauthenticated attacker to bypass normal login procedures and gain unauthorized administrative access to the affected website, potentially leading to a full site compromise.

Vulnerability Details

CVE-ID: CVE-2025-10850

Affected Software: The Felan Framework plugin for WordPress

Affected Versions: Versions up to, and including, 1.1.4

Vulnerability: The vulnerability is an improper authentication weakness due to a hardcoded password within the fb_ajax_login_or_register function. An attacker who discovers this static, hardcoded password can submit a specially crafted login request to this function. This bypasses standard WordPress authentication mechanisms, granting the attacker access to the site, likely with administrative privileges, without needing valid user credentials.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high risk of compromise with minimal attacker effort. Successful exploitation could lead to a complete takeover of the affected WordPress website. Potential consequences include theft of sensitive user data, financial information, website defacement, distribution of malware to visitors, and using the compromised server as a pivot point for further attacks on the internal network, posing severe reputational, financial, and operational risks to the organization.

Remediation Plan

Immediate Action: Immediately update The Felan Framework plugin for WordPress to the latest patched version that resolves this vulnerability. After patching, it is crucial to review all user accounts (especially administrative ones) for any unauthorized additions or modifications and review access logs for signs of compromise prior to the update.

Proactive Monitoring: Monitor web server and application logs for any direct POST requests to the endpoint associated with the fb_ajax_login_or_register function. Scrutinize login attempts from unknown or suspicious IP addresses. Implement alerts for the creation of new administrative accounts or unexpected changes to plugin or theme files.

Compensating Controls: If immediate patching is not feasible, consider disabling the Felan Framework plugin until it can be updated. Alternatively, deploy a Web Application Firewall (WAF) with a custom rule to block access to the vulnerable AJAX function endpoint. Restricting access to the WordPress login and admin pages (/wp-login.php and /wp-admin/) to trusted IP addresses can also reduce the attack surface.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of the published date, Oct 16, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, vulnerabilities involving hardcoded credentials are trivial to exploit once the password is known, and proof-of-concept code is likely to be developed and published quickly.

Analyst Recommendation

Given the critical CVSS score of 9.8 and the ease of exploitation, immediate remediation is strongly recommended. Organizations must prioritize applying the vendor-supplied patch to all websites using the affected Felan Framework plugin. Although this vulnerability is not currently listed on the CISA KEV list, its high severity and the potential for widespread impact make it a prime target for opportunistic attackers.