Full Report
Threat actors are actively exploiting a critical security flaw impacting the Service Finder WordPress theme that makes it possible to gain unauthorized access to any account, including administrators, and take control of susceptible sites. The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS score: 9.8), affects the Service Finder Bookings, a WordPress plugin bundled with the
Analysis Summary
# Vulnerability: Critical Authentication Bypass in WordPress Service Finder Theme/Bookings Plugin
## CVE Details
- CVE ID: CVE-2025-5947
- CVSS Score: 9.8 (Critical)
- CWE: *Not explicitly mentioned, but stems from improper input validation leading to privilege escalation/authentication bypass.*
## Affected Systems
- Products: WordPress Service Finder Theme (which bundles the Service Finder Bookings plugin)
- Versions: All versions prior to and including 6.0.
- Configurations: Any site running the vulnerable version of the theme/plugin.
## Vulnerability Description
This is a critical authentication bypass and privilege escalation vulnerability found in the Service Finder Bookings plugin bundled with the Service Finder WordPress Theme. The flaw exists in the account switching function (`service_finder_switch_back()`). The plugin fails to adequately validate a user's cookie value before allowing a login via account switching. This allows an unauthenticated attacker to leverage this flaw to log in as **any user** on the system, including accounts with the 'administrator' role, leading to full site takeover.
## Exploitation
- Status: **Actively exploited in the wild** (Observed since August 1, 2025).
- Complexity: *Likely Low, given the description of an unauthenticated remote attack.*
- Attack Vector: Network
## Impact
- Confidentiality: High (Full access to site data as any user)
- Integrity: High (Ability to modify/delete site content, install backdoors, etc.)
- Availability: High (Ability to shut down or compromise the site)
## Remediation
### Patches
- Update the Service Finder theme/plugin to **version 6.1** or later (Released July 17, 2025).
### Workarounds
- Administrators are recommended to **audit their sites for any signs of suspicious activity**.
- *No specific additional workarounds were provided, as updating is the definitive fix.*
## Detection
- **Indicators of Compromise (IoCs):** Monitor access logs for requests originating from the following observed attacking IP addresses:
- 5.189.221.98
- 185.109.21.157
- 192.121.16.196
- 194.68.32.71
- 178.125.204.198
- **Detection methods and tools:** Monitor for unusual activity associated with the `service_finder_switch_back()` function calls or unexpected administrative logins not originating from known users.
## References
- [The Hacker News Article](https://thehackernews.com/2025/10/critical-exploit-lets-hackers-bypass.html)
- [Wordfence Advisory](https://www.wordfence.com/blog/2025/10/attackers-actively-exploiting-critical-vulnerability-in-service-finder-bookings-plugin/)
- [Theme/Product Page (for reference)](https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793)