Exploitation of WordPress Plugin Vulnerability Escalates
In recent months, malicious actors have adeptly capitalized on a serious authentication bypass vulnerability within the Service Finder Bookings WordPress plugin, enabling unprecedented access to compromised accounts across numerous sites.
This critical flaw was initially disclosed on July 31, 2025, following a bug bounty investigation that unearthed the plugin’s servicefinderswitchback function, which improperly validated a user-switch cookie, leading to unauthorized privilege escalation.
Following its revelation, adversaries promptly reverse-engineered the vulnerability, instigating a series of exploitation campaigns that escalated from August 1 into September, with alarming rapidity.
During this perilous phase, the Wordfence Firewall successfully thwarted over 13,800 exploitation attempts targeting thousands of installations running the vulnerable versions of the plugin.
In the initial stages of the attacks, threat actors dispatched meticulously crafted HTTP requests embedding a malicious originaluserid cookie, thereby circumventing authentication protocols entirely.
Wordfence analysts observed a pronounced increase in irregular switchback requests mere hours post-disclosure, which necessitated the swift implementation of a firewall rule for all Wordfence Premium, Care, and Response clientele.
| CVE ID | Affected Plugin | Versions Affected | Patched Version | CVSS 3.1 Score | Attack Vector |
|---|---|---|---|---|---|
| CVE-2025-5947 | Service Finder Bookings | ≤ 6.0 | 6.1 | 9.8 | Authentication Bypass |
Notably, installations utilizing the free version of the plugin received protective measures only after a 30-day delay, leaving many instances of this software vulnerable until mid-July.
The ramifications of successful exploitation are dire: an unauthorized user can obtain comprehensive administrative privileges, facilitating backdoor installations, data exfiltration, or even complete site defacement.
With more than 6,000 active installations of the susceptible plugin, the threat landscape expanded as scanning bots and automated exploit kits began to probe for Service Finder Bookings endpoints.
Mechanisms of Infection
An examination of the exploit reveals that attackers target the servicefinderswitchback endpoint by submitting a GET request to ?switchback=1, accompanied by the Cookie: originaluserid=.
The plugin code subsequently executes:
if ( isset( $_COOKIE['originaluserid'] ) ) {
$originaluserid = intval( $_COOKIE['originaluserid'] );
wp_set_current_user( $originaluserid );
wp_set_auth_cookie( $originaluserid, true );
}Due to the absence of authentication or nonce checks, the user ID provided by the attacker is accepted unconditionally, logging them in as that user—often as the site administrator.
This straightforward yet potent bypass illuminates the pressing necessity for meticulous input validation within session-management protocols.
Source link: Cybersecuritynews.com.
