Website administrators utilizing the Service Finder WordPress theme, along with its integrated Bookings plugin, are strongly advised to promptly update their software.
A severe security vulnerability, currently under active exploitation by cybercriminals, permits unauthorized entities to commandeer affected websites entirely.
Unfettered Access to Admin Accounts
This vulnerability, designated as CVE-2025-5947, constitutes an authentication bypass. In layman’s terms, it allows a hacker to circumvent the login mechanism without possessing valid credentials. Security analysts have assigned this flaw a critical severity rating of 9.8 out of 10.
The core of the problem resides within the way the Service Finder Bookings plugin manages account-switching functionality. Malicious actors have discovered they can exploit this by dispatching a request to the website while deceitfully inserting a cookie—a minuscule piece of data—that masquerades them as the site’s administrator.
The plugin inadequately verifies whether this identifying information is legitimate.
This oversight permits any intruder, including those without an account on the site, to deceive the system into authenticating them as any user, including the administrator.
Once granted administrative access, they are capable of injecting harmful scripts, redirecting visitors to fraudulent websites, or even utilizing the platform to host malicious software.
Discovery and Current Attacks
This vulnerability was initially uncovered by a researcher identified as Foxyyy and subsequently reported through the Wordfence Bug Bounty Program.
Wordfence, a prominent player in WordPress security, facilitated the responsible disclosure process, publishing the details alongside the researcher’s identity on their platform.
Informed by a blog post from Wordfence, it has become clear that every iteration of the theme up to and including version 6.0 is susceptible. The developers promptly issued a fix in version 6.1 on July 17, 2025.
Alarmingly, despite the release of the patch, malicious actors commenced their exploitation attempts almost immediately, starting on August 1, 2025.
Furthermore, over 13,800 attempts to leverage this vulnerability have been reported since that date. With more than 6,000 customers having purchased the Service Finder theme, a significant number of websites may remain vulnerable.
Administrators are urgently encouraged to update both the Service Finder theme and plugin to version 6.1 or newer without delay. Notably, for users employing security solutions like the Wordfence firewall, many of these attacks have been thwarted.
The firewall is adept at identifying the fraudulent cookie data used by attackers, blocking their requests before they reach the vulnerable sections of the site.
Nonetheless, executing a software update stands as the most effective and comprehensive safeguard against unauthorized access of this nature.
Perspective on Web Security
“The recurring nature of critical WordPress vulnerabilities must not be overlooked, especially as threat actors increasingly automate the exploitation of commonplace CMS plugins to ensure persistent access to web infrastructures,” remarked Gunter Ollmann, CTO at Cobalt.
“Once they penetrate the system, adversaries can pivot towards disseminating malware, purloining credentials, or enlisting compromised sites into large-scale botnets,” Ollmann cautioned.
“Given the inherent accessibility of the WordPress ecosystem, it remains a prime target. Consequently, security teams should approach this service with skepticism, fortifying systems around it to safeguard crucial data and interconnected networks.”
Source link: Hackread.com.
